
How does Facebook disable Developer Tools? - gedrap
http://stackoverflow.com/questions/21692646/how-does-facebook-disable-developer-tools
======
magicalist
I don't think Developer Tools are going to be able to allow overriding like
this for long, or we're going to be seeing a lot of this on sites soon, just
like the widespread right-click "disabling" of yesteryear.

~~~
brey
I don't think it's as simple as that - there's a _lot_ more damage you can do
by copy-pasting arbitrary code obtained via a social engineering vector into
the dev console, than right-clicking to save an asset.

I'd consider this a genuine security issue, and wouldn't be surprised if the
dev console at least got moved behind a lot more 'here be dragons' warnings.

or hide it behind a turing-test-for-engineers ... 'solve the following code
test to enable the dev console' ;)

~~~
tokenizerrr
Web browsers had had the capability to execute javascript through the URL bar
since as long as I can remember. Social engineers should be able to just
bypass this by telling users to copy paste the following code, Control+L, type
"javascript:" (chrome strips it when copy-pasting), Control+V, Enter.

    
    
        javascript:alert('hi ' + document.body.innerHTML);
    

If people can be tricked into executing code in the dev console, then why not
this too?

~~~
dorward
Browsers have already started to remove/limit code execution capability from
the address bar.

[https://bugzilla.mozilla.org/show_bug.cgi?id=656433](https://bugzilla.mozilla.org/show_bug.cgi?id=656433)

[https://code.google.com/p/chromium/issues/detail?id=82181](https://code.google.com/p/chromium/issues/detail?id=82181)

~~~
EGreg
Wait does this mean bookmarklets will fail in those browsers from now on?

~~~
shdon
My bookmarklets run just fine, JS in the URL-bar doesn't.

~~~
EGreg
Do the bookmarklets execute in the context of the page?

~~~
shdon
Yes, they work just as they've always done.

------
yen223
There's an interesting link in the accepted answer about how the social
engineering hack, that necessitated the disabling of Developer Tools in the
first place, was executed in the first place:
[https://www.facebook.com/photo.php?v=956977232793](https://www.facebook.com/photo.php?v=956977232793)

------
plorkyeran
I'm sort of surprised that the developer tools have only recently become an
attack vector (via social engineering). I'm not sure what can even really be
done about it without seriously inconveniencing developers. Maybe making them
disabled by default with an extra option to enable them would be enough to
deter all but the most gullible of users?

~~~
ihsw
Why not a separate package altogether? That way the Chrome team can focus on
Chrome, and the Developer Tools team can focus on producing a high-quality
website debugger.

~~~
reconbot
Because the "hackability" of the web is important. The ability to view source,
play in the console, modify the dom, etc is amazing. Locking it down or
providing a larger barrier to entry (eg, download this extra thing) provides
dubious benefit and hides what makes the web great.

I speak from someone who teaches ruby and javascript. Javascript is in every
browser and the console is a wonderful place to start. When I teach ruby (on
Mac's) I have to start with, "well ok, now download xcode". It's really easy
for someone to give up before getting everything working.

~~~
samplonius
So downloading a 100KB extension for a browser which you use for downloading
stuff all the time is a "huge barrier"? Wow, talk about a 1st world problem.

And "when I teach ruby", "well ok, now download xcode"... ok, Xcode is a 2.5GB
download, but it is a one click download and install via App Store. And
really? Xcode for Ruby? Are you really doing that?

~~~
djur
Xcode is necessary because Apple distributes an operating system without a C
compiler, and standard Ruby development requires a C compiler. Why Apple
distributes an incomplete operating system by default, and why they distribute
their development environment as one monolithic chunk as opposed to a set of
packages, is anyone's guess.

~~~
United857
Last I checked, Windows also doesn't ship with a C compiler by default. Even
some Linux distros don't have it in the default install.

~~~
djur
Windows is also an incomplete operating system as sold, as are those Linux
distros. For a long time Windows was outright defective because there was no
compiler available without paying hundreds of additional dollars to Microsoft,
but they do have a free toolchain now.

------
gibybo
The accepted answer teases that this is not enough:

    
    
      Object.defineProperty(console, '_commandLineAPI',
       { get : function() { throw 'Nooo!' } })
    

But why isn't it enough?

~~~
STRML
I spent a while looking at it last night and came up with a solution, I'll
walk you through it. For reference, here's the code:

    
    
        function escape(s) {
          // Bonus level!
    
          Object.defineProperty(console, 'foo', 
             { get : function() { throw 'nooo!' } });
    
          var code = 'with(window.console && console.foo || {}) {\n\t'+s+'\n}';
          console.log(code);
    
          try {
            console.log(eval(code));
          } catch (e) {
            console.log(e);
          }
        }
    

The idea is, you need to craft `s`, such that `s` can execute arbitrary code
without throwing 'nooo!'. The interesting problem is, any access to
`console.foo` with throw because the getter above is called. This _includes
the access inside the `with` statement_. So the solution, if there is any,
must somehow cause mutation of state before the `with` even executes.

Now, what brought me to the solution was this thought: "What in Javascript
allows you to execute code _before_ a given statement?" Upon framing it in
this way, the solution became immediately clear: function declarations are
automatically hoisted!

If you redefine `console` to be an object without the property 'foo', the `||
{}` part of the with predicate will instead be passed as the scope, and you
have free reign to walk about the system.

So the solution is:

    
    
        alert(1) } function console(){} {
    

Which produces the statement:

    
    
        with(window.console && console.foo || {}) { 
          alert(1) } function console(){} {
        }

~~~
pjob
Ah, cool. That's a little shorter than the solution that I came up with:

    
    
      function window(){alert(1)}window()
    

To those of you going for the code golf record, you can save a character in
STRML's solution by redefining window instead. Furthermore, the last two
braces can be omitted and whitespace removed for a total of 27 characters.

------
ibarrajo
This is an analysis of the code that facebook is trying to prevent from being
pasted into the console

[http://pastebin.com/0JXCVxXg](http://pastebin.com/0JXCVxXg)

~~~
agumonkey
I thought it was obfuscated variable names, but it's a turkish word
[https://en.wiktionary.org/wiki/arkada%C5%9Flar](https://en.wiktionary.org/wiki/arkada%C5%9Flar)
(follower)

~~~
egeozcan
It means "friends". There are some functions named "get messages", "get
friends", "get a random friend" and "post comment" too. Weird.

~~~
agumonkey
Not yeah I dont know why I thought this was about twitter so I only wrote
follower (close semantics, and wiktionary listed both). So it's an i10n CRUD
controller :)

------
zachrose
How is this "browser vulnerability" different from a bookmarklet?

~~~
hrjet
Or a browser extension.

------
joe_hoyle
How is this exploit not possible by just telling someone to paste
javascript:alert(document.cookie) etc into their address bar?

~~~
Strom
Because pasting doesn't work. Most browsers (like Chrome, IE) just remove the
javascript: prefix from your pasted text, and some browsers (like Firefox)
don't allow you to execute standard javascript from the address bar.

~~~
gkhnarik
I agree. Chrome doesn't allow you do paste it, you have to type it. I believe
they disable it soon too.

~~~
yen223
See the link in the accepted answer. If you try to paste in "javascript:
blahblahblah", Chrome is smart enough to remove the "javascript: " part. What
the attackers do instead is to tell the victim to type "j", then ctrl+v the
rest "avascript: blahblahblah". Just tried it in Chrome, it goes through.

~~~
SomeoneWeird
Clever.

------
darkbot
Facebook is violating the user's right to their own software.

~~~
ceejayoz
Facebook is protecting the vast majority of users and making developers click
a checkbox to undo that protection. There are plenty of things to get outraged
about, but I'd argue this isn't one of them.

------
phaer
Wouldn't it be just as simple for an attacker to persuade a victim to paste a
string starting with "javascript:" into the URL bar?

~~~
Cyykratahk
Both FireFox and Chrome have been preventing that since around 2011; the
pasted url is stripped of the "javascript:" part. But now the malicious
instructions tell users to press "j" before pasting the url (which is missing
the "j" at the start), which prevents the browsers from detecting and
stripping the protocol, thus allowing the script execution.

------
WithTeeth
I think the burden lies on the browsers to warn average users of the danger of
pasting javascript code. Perhaps a popup confirmation the first time you paste
`javascript:...` in the address bar with a "Never ask again," and a warning
that "Here be danger" when you open the dev console that you can dismiss.

------
blueskin_
Doesn't happen for me in Firefox - I can make alerts etc using the console.

------
Fasebook
This is a pretty good reason to never trust Chrome again.

~~~
nyrina
I wouldn't trust any computer, then.

It's the same as taking a bunch of code you have no idea how works, and paste
it into CMD, then wondering why you just deleted C:/

~~~
talkingquickly
Exactly, how many developers can honestly say they've never copy pasted
commands into the terminal without being 100% sure what they were doing?

~~~
codygman
Hesitantly, I will claim that I can say this because I cannot remember every
pasting a command in I did not take the time to understand.

------
jokoon
I hate the web

I hate the web

