Jarvee vs IG mouse movement detection

Ok that’s interesting, but does it include mouse events ?

I actually just went through instagram code and found clear evidence that they log mouse actions, among many other things (IOS jailbroken devices, Sim card network, mouse position and clicks, emulators, etc )

I am actually going to make a new topic on this soon, as I find it very interesting piece of information .

So no, it’s not bluff at all what they state in their data policy about recording mouse events and they don’t even try to hide it , all the fingerprints are explicitly mentioned in their js files .

Those are the events that you call “mouse events”, Yes.

image

And they are probably used for machine learning purposes.

Well that doesn’t have anything to do with mouse events , you can find some reverse engineering of the logging_client_events functions in github and these are logs at a much more basic level .

Mouse events are logged by javascript on browsers . On Android and IOS all the deeper logging is done by java (android) and objc (IOS) .

Here’s the github for the client events logging functions :slightly_smiling_face:

The client logging events are periodically (every few mins) sent to Instagram and they contain basic information such as the app version / id, current app state, device status, date / time, storage info etc .
I think IG used to send the mouse coordinates / clicks info on this post request every few seconds but it no longer seems to be the case :

Here’s all the info that goes in the post request :

Furthermore, the client_logging_events has been previously implemented in other automation software, this goes back to 2018 so it’s not true that this is some kind of revolutionary anti bot detection measure by jarvee … And as you said yourself, adblockers block this so it would be imprudent for IG to block actions based on that factor alone (although it’s more than likely to add up to the trust score)

1 Like

It doesn’t matter if it’s javascript code. If you reverse engineer the POST-Request and look up which data they are sending you are behaving like a real phone.

I also have the assumption, that they are using it mostly for tracking purposes, for testing how the user is behaving, which feature the user likes, which not. Online marketers would love to have the data, Instagram is getting on User-Behavior. Mouse-Heatmaps etc. And only secondary to detect bots.

3 Likes

Yes right, the post request can ofcourse send the mouse coordinates in that exact moment but it’s not really the same as tracking mouse movement continuously , as anyone can fake that easily if all you are doing is sending a post request with the coordinates every few seconds . There’s better ways to do that for bot detection purposes

But the post request doesn’t actually contain any mouse data as of today I think , so either they aren’t tracking it at all or they are doing it some other way .

It’s hard to believe that faking the client logging events request would be enough to circumvent IG bot detection algorithm as this was already talked and implemented long time ago before the update happened , and I’m pretty sure it was implemented on multiple automation softwares .

You could ofcourse be right in your assumptions that this data is only being used for user behavior analysis :slight_smile:

But then please try to explain this :

I have tried chrome extensions such as growbot which use the browser Instagram session to automate actions and got blocks all the time after just a few events .

Went ahead and made my own custom browser automation using real mouse movement and once I started using that I got 0 blocks , the difference was night and day !

Sure enough since I’m using a real browser all the client_logging_events are being sent to IG on both situations, yet the bot which didn’t use mouse events was easily blocked , where my bot mymicing real mouse movement wasn’t …

Look at the sourcecode from growbot: although it’s a browser plugin, they are sending requests manually using ajax. Pretty sure this is not best practise and they are missing some stuff out in the header.

 $.ajax({
                url: 'https://www.instagram.com/web/friendships/' + acct.id + '/follow/',
                method: 'POST',
                beforeSend: function(xhr) {
                    xhr.setRequestHeader('x-csrftoken', user.csrf_token);
                    xhr.setRequestHeader('x-instagram-ajax', '1');
                }
            })
            .done(function() {

                acctsProcessed.push(acct);
                actionsTaken++;
                addStamp(acct.id, 'stamp-div-green', 'followed');
                addToAttempted(acct);

                waitTime = getRandomizedTime(gblOptions.timeDelay);

                outputMessage('Followed ' + acct.username + ' (' + acct.id + ') | ' + acctsProcessed.length + ' processed;  waiting  ' + (waitTime / 1000) + ' seconds to follow ' + acctsQueueNextUsername);
                setTimeout(ajaxFollowAll, waitTime);

                if (document.getElementById('cbFollowLikeLatestPics').checked == true) {
                    ajaxLoadUsersMedia('', false, usersMediaLoaded, acct.id);
                }

            })

This is the part, they are using for following. And as you see they are not using the UI they are using a API-Endpoint for following actions and this in a crucial way. A better practice especially for a browser Plugin would be button clicking, using javascript events.

EDIT: You don’t need to simulate mousemovement, all you have to do is simulate button clicking.

1 Like

That’s why I recommend using proper bots like Jarvee, that already have those features implemented…