1. 21
  1.  

  2. 5

    This is fun, well done!

    FYI, tested on Chrome 52, works well when I open devtools and the text changes back properly when I close devtools.

    1. 4

      This is fun, well done!

      s/fun/scary, but sure ;-)

      This reminds me quite a bit of the recent story about detecting curl foo | bash at the server and changing the script output accordingly.

      I think this is a very bad type of attack that seems to be gaining traction and will change how we think about security.

      1. 3

        Yeah, the curlsh was fun as well. More fun than scary in my opinion.

        Timing attacks have been around for a few decades already and I don’t really think they are gaining traction. Perhaps are they getting more attention, but I see this is as a good thing.

        The case of curlsh is, just like here, a nice proof of concept. If it helps people understand the danger of curlsh, that’s good. If you don’t trust a server (and you probably shouldn’t trust a server), don’t curlsh. Download the script, review it, run it. If you do trust a server and this server detects you’re doing curlsh and uses this “exploit” to put you in trouble, then you shouldn’t have trusted this server. :)

        Loosely related is the nice warning Paypal displays in the JS console: https://www.paypal.com . I think these proofs of concept are mostly harmless, and mostly beneficial as they raise security awareness.

        1. 4

          whoa, I had no idea you could css format console text

          if(window.console || "console" in window) {
            console.log("%c WARNING!!!", "color:#FF8F1C; font-size:40px;");
            console.log("%c This browser fea[...]", "color:#003087; font-size:12px;");
            console.log("%c For more information, http://en.wikipedia.org/wiki/Self-XSS", "color:#003087; font-size:12px;");
          }
          
          1. 2

            I think that’s a chrome-specific extension. You might also want to take a look at console.table and a bunch of other nifty extensions.

            1. 4

              It works in FF too! And anyways, the console is now a standardized1 API. Non-standard stuff will soon either be washed away, or be standardized.

              1. 2

                I was aware of console.table; %c, however, has a nice big red TODO: process %c in the living standard @awal posted below haha

          2. 2

            How is this a bad type of attack? What kind of compromise could happen from knowing the devtools are open?

            1. 6

              It just adds to the client-side JS obfuscation toolkit. One could detect if devtools are opened and clear all dom and state to make it harder for end-user to check what is happening. Obviously, like all other obfuscation techniques this is also not fool-proof at all. It is not a break-through at all :)

              1. 2

                Gotcha, and yeah, agreed. :)

        2. 3

          Amusingly, the text only changes when I’m holding down the resize handle on the devtools window. It seems that the speed difference from merely having devtools open on Mac Chrome isn’t enough to trigger this.

          1. 2

            On Chrome on Mac, after I close the console the text does not change back.

            1. 2

              Oh, thanks for the report. if only I had a mac to debug properly :(

              I’d still see what could be wrong.

            2. 2
              function on_devtools_open()
              {
                hide_all_images();
              }