33 comments

  • nop_slide 4 days ago
    You should also mention you are using Sherlock as the underlying backend which does that actual searching as you did in this post.

    https://old.reddit.com/r/Python/comments/z1ts1n/i_built_an_a...

    S̵h̵e̵r̵l̵o̵c̵k̵ ̵u̵s̵e̵s̵ ̵M̵I̵T̵ ̵l̵i̵c̵e̵n̵s̵e̵ ̵a̵n̵d̵ ̵y̵o̵u̵ ̵s̵t̵i̵l̵l̵ ̵h̵a̵v̵e̵n̵'̵t̵ ̵a̵d̵d̵e̵d̵ ̵M̵I̵T̵ ̵l̵i̵c̵e̵n̵s̵e̵ ̵t̵o̵ ̵y̵o̵u̵r̵ ̵r̵e̵p̵o̵.̵

    https://github.com/sherlock-project/sherlock

    https://github.com/bnkc/handlefinder

    With that said, I like the look of the UI you put on top, great work!

    Edit: As others have pointed out, the author doesn't need to make their creation MIT as well. I misunderstood the license agreement. They just have to include the notice of the dependencies somewhere. TIL.

    • echelon 4 days ago
      The MIT license isn't infectious! You might have just told the author to give up their rights.

      They're well within their rights to release their software as MIT or whatever, but they should make that decision on their own or as reflection upon the proper arguments from the community.

    • mtmail 4 days ago
      OP did right after posting: https://news.ycombinator.com/item?id=33722495 Almost the same text as on reddit.

      Second sentence in the README file on github is "This app is a wrapper around The Sherlock Project" (last edited 5h before posting) and second sentence in the UI is "This project is a wrapper around the Sherlock Project."

    • Kiro 4 days ago
      They don't need to add the MIT license. They only need to include the notice somewhere.
      • nop_slide 4 days ago
        Yep, my misunderstanding.
    • ilyt 3 days ago
      It really is amazing how many people advertise or shun license without even knowing what it does...
    • Ostatnigrosh 4 days ago
      Hey! Just added the MIT license.
      • bradknowles 2 days ago
        So, you should cache hits. If someone asks the same question again five minutes later, then you shouldn't need to look them up again.

        Also, it would be nice to show misses -- where the account name hasn't been used.

        I have found a few other people out there with the same name, and it would be nice to know what systems I can go to and grab the name I want to use.

      • nop_slide 4 days ago
        Apologies if I misread the license attribution, didn't want to take away from the work you did but also wanted to make sure credit was given.

        Cheers

    • nnoitra 4 days ago
      undefined
  • Ostatnigrosh 4 days ago
    I found myself scrolling through Github’s “trending” repos, looking for some coding inspiration. Within the next hour, I stumbled across something called The Sherlock Project. Interesting, It had over 35k stars, must be pretty popular.

    I quickly cloned the repo and started toying around with it. It didn’t take me long to realize the power of this tool. All I had to do was insert a username, and voila! I was looking at every social media website that was associated with the username. Not only that but direct links to the accounts.

    I immediately wanted to turn this into a web app so that everyone could use it. My first challenge was that this was a CLI tool, so I got to work. The Sherlock project makes about 400 requests to various site s to check if your username exists. This was going to be tough... I noticed they were using requests.FutureSession to multithread the result.

    I decided to use a multithreaded Web-socket to continuously report out data to the frontend. After ALOT of trial and error I finally got something working. The Issue now though was that it wouldn't run in production due to a multiprocessing error: Daemonic processes are not allowed to have children.

    Eventually I learned that you cant use the standard multiprocessing library for this kind of thing, you had to use billiard. Bam! It worked. I quickly hacked together a simple frontend, configured the web socket, and results were pouring in.

    Turns out, the web-socket is considered a "long running request" as it makes 400 external requests. Maybe I could use celery to offload this process to a worker and queue it up. I started working on it and realized this was a little out of my skill range.

    I then decided to take a look at the logs where I hosted the code and what do i find? CPU, Memory, and bandwidth all reaching a staggering 100% usage. I was using the free tier of Render that only allowed for one instance of my app...duh. I did some rework of my codebase and it started running a little faster.

    Needless to say, I learned to take it slow, build tests for my code, and be patient with results.

    What do you guys think? Any hard lessons learned in coding? What were your takeaways?

    Here is also a link to the repo: https://github.com/bnkc/handlefinder

    • rkagerer 4 days ago
      You need a privacy policy (or at least a one-liner statement) that gives potential users some assurance you aren't harvesting their username / IP / etc or the results for some other purpose or piping it to advertisers.
      • A4ET8a8uTh0 4 days ago
        Yep. The wrap around the tool is neat and looks well done based on what I could see, but I hesitated based just that consideration.

        edit: I thought I should make my feedback less generic. In this case, by neat I mean: no fluff, no useless stuff on the landing page, straight to the point. I appreciate that.

      • Aeolun 3 days ago
        If they were going to harvest those usernames by posting it on hackernews, wouldn't it be easier to just scrape hackernews for usernames in the first place?
      • Ostatnigrosh 4 days ago
        Havent really thought of that. Ill take a look
    • mattl 4 days ago
      I think it would be useful to show the networks that the username cannot be found on.
      • Ostatnigrosh 4 days ago
        Thats a good thought. I was considering it but was worried about "cluttering" the site
        • TheTaytay 4 days ago
          I echo this request. It was my expectation actually!

          I searched for my username and was shocked it was used on literally every website you checked. Then I tried a less common variant and was similarly shocked, until I realized that you were showing me fewer websites the second time around. Only then did I realize you only showed me sites where it was already claimed…

        • bombcar 4 days ago
          Could be useful for people who like to “claim” their common handle.
          • veb 4 days ago
            what I find annoying is that (other than HN) most places won't let you claim your username if the person has signed up, yet never posted over years (or even logged in) and places where an account was deleted.

            when I signed up to HN, I had a different username. I reached out to admins and they looked at the other account that had been created but they let me have it because the person hadn't logged in since. Oh! I think GitHub did as well. (shit, I wonder if I have mixed up GitHub and HN... I'm pretty sure they're the two that did actually let me have my handle... :x)

            • mattl 4 days ago
              That sounds like a bad idea.

              Why would it be a good idea to recycle usernames like that?

              • williamscales 4 days ago
                Because some people sign up for a site early and then never use it. I can't get my desired handle on a particular social network because some dude registered 15 years ago, posted one item, and then never used it again.

                I mean, obviously I'll live but it's a silly situation.

              • xwdv 4 days ago
                Because overtime we can wear down the idea that a public facing username is some kind of unique identifier.
                • chillfox 4 days ago
                  I really like how Discord handles it. Username + 4 digit number = unique handle, but if nobody else has the same username in a server then you can just use the username to refer to them
                • mattl 4 days ago
                  Do you have any alternative solution in mind? ICQ numbers?
                  • xwdv 4 days ago
                    Content
              • bombcar 4 days ago
                Same reason we recycle domains.
            • selcuka 3 days ago
              > I think GitHub did as well.

              I can confirm that GitHub definitely does that.

        • DueDilligence 3 days ago
          .. echo'd as well.
    • walderf 3 days ago
      this reply is really only quasi-related to your first sentence.

      since you mentioned the "trending" repositories on github, i wanted to give the https://github.com/nschloe/github-trends project a shout out.

      it's not the same thing at all but also kind of the same thing, although it's actually, at the same time, kinda also not. alright, i'll get real. the most important thing regarding the linked project is the fact that it's got graphs. with lines. in various colors. lines that generally rise upwards, towards the right-hand side of your screen(s). lines that, more often than not, have slopes which vary in intensity and length. lines that are part of, if i may take this chance to kindly reiterate, graphs.

      everybody loves graphs, right? i know i do. almost as much as i love search results linking to 37 minute youtube how-to videos for reminders/instructions on how to fix a 37 second problem with absolutely zero transcript in the video description's text area.

      anyways. here's a great example of a proper how-to video. https://www.youtube.com/watch?v=py3QKC_OTvI

      if you're having a bad day, ignore everything i've said, and just watch the 1st 6 seconds of the above how-to video. :)

  • s1mon 4 days ago
    Some people are liking the UI here, but it wasn't clear to me at first that a [+] meant the username was used on that site. In my mind, it could just as easily mean that it's available on that site (that could be a positive result if you're looking for places to sign up with a name). This should be made more clear.

    It would be interesting if you could toggle on the not-found list as part of the results. If you get a big positive list, but you'd like to find the sites where the username is not in use yet, there's no quick way to get that info. (Yes you could scrape both lists and use some simple command line scripts to get those results, but it's such a simple thing to add to this tool)

    • dtgriscom 3 days ago
      I read the "[ + ]" bullet symbols as indicating a topic that could be expanded.
  • avgDev 4 days ago
    Great tool I used it to find all social accounts of my ex. Anyway, got to go as I am outside her house and don't want to miss her leaving for work.

    /s if it wasn't obvious.

    Cool tool.

    • culi 4 days ago
      good reminder for why you shouldn't use the same username everywhere unless you intend to have an online presence

      Personally I have a specific scheme I follow w my more private usernames. Basically the same username but depending on the website it has a predictable alteration to it so I get different usernames for different sites but don't have to remember them all

      Then I have a different username (well, a couple) I use for sites where I don't mind having a public presence that can be tied back together

  • jfk13 4 days ago
    A bunch of the occurrences it "finds" appear to be false positives, as far as I can tell.
    • aitchnyu 3 days ago
      Wonder if some sites are seeding false positives to get your visit. Like ads saying "buy sarin gas attack in japan at the lowest price!".
    • MichaelZuo 4 days ago
      Yes, even for HN it returns false positives.
      • lamontcg 4 days ago
        Yeah I tried "dvmnasrtjkhqofjsenvign" and got false positives on Dribbble, Enjin, HackerNews, Instagram, Quizlet, Smule, and livelib.

        Also got the same false positives with a couple aliases of mine that seem to be actually unique so far. I was a bit annoyed someone had already stole them on HN for a second.

  • xeromal 4 days ago
    Be warned people. You might find accounts you don't remember making. lmao

    A trip down memory lane.

    • JacobThreeThree 4 days ago
      The only username you should use more than once is your real name.
      • timeon 4 days ago
        You shouldn't use your real name on the internet.
        • someweirdperson 4 days ago
          For most people it doesn't matter much because there is many dupes.

          Mine seems to be unique, which is a little scary.

          • chillfox 4 days ago
            There’s a few other people out there who use the same username as me, so I have had to come up with several other usernames.
        • bombcar 4 days ago
          Or use someone else’s real name. Like Abraham Lincoln’s.
      • xeromal 4 days ago
        I was 12-18 years old so I wasn't really thinking that way.
      • Jerrrry 4 days ago
        um, many people enjoy having a persistent online alter-ego, and some annoying people like to claim others when a service launches, just to be a dick.
  • dtgriscom 3 days ago
    I tried this with my usual username (which is unusual; not many Griscoms out there), and found some false positives.

    The following sites gave me errors with my username, and if I changed the username to something unlikely I got the same error. I take this to mean that there's no evidence that username exists on that system. (And, I'm dubious that I'd have signed up at these sites.) * quizlet.com * www.enjin.com * apps.runescape.com * smule.com * livelib.ru

    And, fiverr.com's URL for my username just bounces to the homepage, as did any username. (Again, I wouldn't have signed up there.)

    Other than that, very cool.

  • smcl 4 days ago
    Reminds me of this, which popped up recently here: https://github.com/soxoj/maigret
  • mcqueenjordan 3 days ago
    I don't want to rain on anyone's parade, but I'll just add my unsolicited opinion...

    Functionality like this, and more acutely, any kind of cross-service, cross-account stylometrics correlation or de-anonymizing service gives me great concerns for its abuse and the groups that it likely endangers (and the groups it likely empowers).

    • brobinson 3 days ago
      Bad actors have had the ability to do this for a long time. If anything, this raises awareness among normal people.
      • nokya 3 days ago
        Well, not sure I am a bad actor but reading the comment gave me the idea of typing my ex's nickname and I now discover she has an account on a quite unusual platform of which I am a member, too.

        For sure, I would never have the time to build such a tool. So, yes, some bad actors may have the "ability" as you mention, but I don't think that is the best justification to make querying this tool that easy.

  • someweirdperson 4 days ago
    I am using an un-pronouncible combination of 4 characters in some games. Never could not get it anywhere I wanted it. Was surprised to see it found on 60 sites, none of them me.

    My username here is found on only 50, the other 49 not me.

    It might be a useful tool to pre-check names before creating accounts for someone who wants a consistent name everywhere.

  • Normille 3 days ago
    Hmmm... I searched a name and it found 9 results. But none of the profiles actually existed when I followed the links.

    Mind you, I've never fond these kind of things to be very effective. Bellingcat has a selection of similar tools and the results are always pretty unreliable:

    https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyh...

  • serjester 4 days ago
    Why use React for something this light? People wants to use a frontend frameworks for everything now, I miss 1998. Just kidding, great work! Way more accessibly to the average person than the Sherlock CLI.

    Also you have two requiments.txt's FYI.

  • moneywoes 4 days ago
    Seems the HN one doesn’t work
    • tomrod 4 days ago
      Indeed. On that and a lot of sites I get false positives. Old usernames that I used (and pretty sure no one else did) on sites I've never visited.
  • NaturalPhallacy 4 days ago
    I got a false positive on runescape, fiverr, and tiktok for my username (not this one).
  • someweirdperson 4 days ago
    False positive bug list. These always return a match even if there is none:

    Archive of Our Own

    Dribbble

    Enjin

    Fiverr

    HackerNews

    Instagram

    Quizlet

    Smule

    We Heart It

    livelib

    • s1mon 4 days ago
      I put in a <somewhat random mashing of the keyboard> userid. I got a shorter list, but clearly this is an issue.

      [ ! ] Checking username q349t8y on:

      [ + ] Enjin: Enjin

      [ + ] Fiverr: Fiverr

      [ + ] HackerNews: HackerNews

      [ + ] Instagram: Instagram

      [ + ] Quizlet: Quizlet

      [ + ] Smule: Smule

      [ + ] livelib: livelib

      [ X ] End Results: 7

      • someweirdperson 4 days ago
        Just retried with the same name as before, now I see it reduced to your list, plus a new entry:

        [ + ] TikTok: TikTok

  • DueDilligence 3 days ago
    .. just ran the iOS MAIGRET tool report [massively granular-thus more false positives + a shit tonne of server errors] against your tool. Enlightening.
  • magicemoji 3 days ago
    There is a similar iOS app implement in pure swift, run directly on your iPhone, open App Store and Search: Maigret to download this app.
    • DueDilligence 3 days ago
      .. which I am pleased to say also works in MacOS.
  • kapral18 3 days ago
  • acqbu 3 days ago
    This is amazing! My only fear is that it will benefit more stalkers than genuine users.
  • Dave3of5 3 days ago
    Shows me on something called smule which I don't have an account on.
  • ilyt 3 days ago
    Now auto-create that account and offer user to buy it for few bucks
  • oriettaxx 4 days ago
    great, it works (with some false-positive, like Enjin for example).

    A warning: an account could be suspended (since many still cannot let you remove it), and by logging in again you end up re-activating.

    just be aware

  • rob 3 days ago
    Lot of results! Thanks
  • DueDilligence 3 days ago
    .. excellent tool .. TWO coffee's for you!
  • high_pathetic 4 days ago
    And that's why I prefer making a username per site I use. No need to connect the dots, no need for this tool, except for spying on a person.
  • DueDilligence 3 days ago
    .. added to my OSINT tools.
  • skc 3 days ago
    Lots of false positives
  • dingdongdaddy 4 days ago
    you made a web frontend for Sherlock LMAO
  • deadalus 4 days ago
    This tool is very fast! I used it to find my crush's social profiles and it worked well.
  • sph 4 days ago
    Add "Show HN:" to the title to have more time in the spotlight, since you built this.