Facebook 如何禁用浏览器的集成开发者工具? [英] How does Facebook disable the browser's integrated Developer Tools?

问题描述

很明显，由于最近的骗局，开发者工具被人们利用来发布垃圾邮件，甚至用来入侵"帐户.Facebook 屏蔽了开发者工具，我什至无法使用控制台.

他们是怎么做到的??；这是为了防止特定的社会工程攻击.

如果你最终进入了测试组并且对此感到恼火，抱歉.我试图让旧的选择退出页面(现在 帮助页面)尽可能简单，同时仍然很可怕足以阻止至少一些受害者.

实际代码与@joeldixon66 的链接非常相似；我们的有点复杂，没有充分的理由.

Chrome 将所有控制台代码封装在

with ((console && console._commandLineAPI) || {}) {<代码在这里>}

... 所以网站重新定义了 console._commandLineAPI 来抛出:

Object.defineProperty(console, '_commandLineAPI',{ get : function() { throw 'Nooo!'} })

这是还不够(试试看！)，但就是这样主要技巧.

<小时>

尾声:Chrome 团队认为从用户端 JS 击败控制台是一个错误，修复了问题，使此技术无效.之后，添加了额外的保护以保护用户免受自我xss的侵害.

So apparently because of the recent scams, the developer tools is exploited by people to post spam and even used to "hack" accounts. Facebook has blocked the developer tools, and I can't even use the console.

How did they do that?? One Stack Overflow post claimed that it is not possible, but Facebook has proven them wrong.

Just go to Facebook and open up the developer tools, type one character into the console, and this warning pops up. No matter what you put in, it will not get executed.

How is this possible?

They even blocked auto-complete in the console:

解决方案

I'm a security engineer at Facebook and this is my fault. We're testing this for some users to see if it can slow down some attacks where users are tricked into pasting (malicious) JavaScript code into the browser console.

Just to be clear: trying to block hackers client-side is a bad idea in general; this is to protect against a specific social engineering attack.

If you ended up in the test group and are annoyed by this, sorry. I tried to make the old opt-out page (now help page) as simple as possible while still being scary enough to stop at least some of the victims.

The actual code is pretty similar to @joeldixon66's link; ours is a little more complicated for no good reason.

Chrome wraps all console code in

with ((console && console._commandLineAPI) || {}) {
  <code goes here>
}

... so the site redefines console._commandLineAPI to throw:

Object.defineProperty(console, '_commandLineAPI',
   { get : function() { throw 'Nooo!' } })

This is not quite enough (try it!), but that's the main trick.

---

Epilogue: The Chrome team decided that defeating the console from user-side JS was a bug and fixed the issue, rendering this technique invalid. Afterwards, additional protection was added to protect users from self-xss.

这篇关于Facebook 如何禁用浏览器的集成开发者工具?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！