This userscript is a example of how the iClicker web application can be exploited, allowing for the following things:
- automatically joining a session
- not being in the session location
- having poll questions be answered automatically
I am in no way responsible for however this is used. If you use it for nefarious reasons, that is completely your own fault and you will have to face the consequences.
This was built for educational purposes only.
- Location spoofing
- Posts dummy geo location data to iClicker servers, in which they return with the session location, in latitude and longitude. Stores that session location in local storage for later so it doesn't have to double fetch every time, and it now will post that data to iClicker servers, allowing the user to join the session from another location.
- Auto joining of sessions
- Senses whenever a session has been started, and joins the session.
- Auto answering of poll questions
- Senses whenever a poll question has been started, waits a certain amount of time set in a constant variable, then chooses a random answer from the array of choices in the script.
This has only been tested on Google Chrome.
This script is supposed to be thrown into a userscript extension. My favorite is Violentmonkey, but any other popular one should work.
From there, there is not much setup besides if you would like to change the constants I have in the script (possible answers, delays).
This script takes advantage of the Angular API, specifically the injector method. It allows for the altering of the existent functions and methods for certain services, allowing for the custom behavior described above.
By reading through the minified code of the iClicker app. I searched until I found the services and the methods that I needed to mess with.
I was inspired to do this because I couldn't get into a session, when I was in the right location. Once I saw that the iClicker app shows you your session's location when you "aren't" in the right location, I got curious. Sure enough, iClicker just sends the exact location of the session. How nice of them :)
- When joining a session, error message appears saying something about location
- I believe that this is just a permission issue with iClicker, not a script issue. Make sure your browser is allowing the iClicker site to access your location. After allowing it, you might need to restart your browser.
- Script fails to see that a session has been started, after a session has been started, then closed, then started in a short amount of time
- This event will rarely happen, but it is still possible.
- The necessary functionality has been added to prevent this from happening.