Superman can't use Facebook

Matt Sayar

Recently, my wife was visiting Canada when she pulled out Ye Olde Facebook for a quick doome scrolle and happened upon some blocked content.

Obviously, my wife respected the censorship, didn't give it any further attention, and moved on with her day.

Just kidding! She was drawn to the forbidden fruit like a moth to a flame. I just recently wrote about some IP shenanigans and knew exactly what she needed to get around the location restrictions.

Tailscale Exit Nodes

With a surfeit of patience, my wife followed my instructions to install Tailscale, join my tailnet, and troubleshoot her connection to Facebook. 

I flipped a switch to make my trusty Raspberry Pi announce itself as an Exit Node. An Exit Node allows all my wife's phone traffic to first connect to the Raspberry Pi in our closet, and then all her subsequent traffic exits the Raspberry Pi and goes to its final destination.

Her phone's data will first go from Canada (1) to Colorado (2) then everywhere else

This will make all of my wife's connections look like they originate in the US, meaning no more location restrictions!

Well, what did the post say??

Actually, it still didn't work. I assume the Facebook app also uses GPS to get your location, so we turned of the app's location access permission.

It still didn't work, so I assume the Facebook app cached her location. We opened a fresh browser session, logged into Facebook, and... the post was still blocked. My wife got an email from Facebook saying she was logging in from Colorado, so at least we confirmed the exit node was working correctly.

Why doesn't this work?

At this point, I assume Facebook has some decent security alerting to prevent the "Superman Login" use case. Essentially, you can use authentication logs to know that an employee named Clark successfully logged in at the office. From there, it's impossible to login again from a location over 1,000 miles away just a few minutes later... unless Clark was Superman (which is obviously ridiculous because Clark has glasses). In practice, this means someone stole Clark's credentials and he should rotate passwords immediately. 

When my wife arrived back home from her trip, she could finally get her grubby little paws on that scandalous Facebook post... but it still didn't work. I guess Facebook has some caching in place with arbitrary expiry times.

Oh well, we tried  ¯\_(ツ)_/¯