Timing attack to check if devtools are open

21

Timing attack to check if devtools are open show browsers javascript github.com
via awal 2 years ago | cached | 14 comments

14

5

vhf 2 years ago | link

This is fun, well done!

FYI, tested on Chrome 52, works well when I open devtools and the text changes back properly when I close devtools.
1. 4
  
  owen 2 years ago | link
  
  This is fun, well done!
  
  s/fun/scary, but sure ;-)
  
  This reminds me quite a bit of the recent story about detecting curl foo | bash at the server and changing the script output accordingly.
  
  I think this is a very bad type of attack that seems to be gaining traction and will change how we think about security.
  1. 3
    
    vhf 2 years ago | link
    
    Yeah, the curlsh was fun as well. More fun than scary in my opinion.
    
    Timing attacks have been around for a few decades already and I don’t really think they are gaining traction. Perhaps are they getting more attention, but I see this is as a good thing.
    
    The case of curlsh is, just like here, a nice proof of concept. If it helps people understand the danger of curlsh, that’s good. If you don’t trust a server (and you probably shouldn’t trust a server), don’t curlsh. Download the script, review it, run it. If you do trust a server and this server detects you’re doing curlsh and uses this “exploit” to put you in trouble, then you shouldn’t have trusted this server. :)
    
    Loosely related is the nice warning Paypal displays in the JS console: https://www.paypal.com . I think these proofs of concept are mostly harmless, and mostly beneficial as they raise security awareness.
    1. 4
      
      kel 2 years ago | link
      
      whoa, I had no idea you could css format console text
      
      if(window.console || "console" in window) { console.log("%c WARNING!!!", "color:#FF8F1C; font-size:40px;"); console.log("%c This browser fea[...]", "color:#003087; font-size:12px;"); console.log("%c For more information, http://en.wikipedia.org/wiki/Self-XSS", "color:#003087; font-size:12px;"); }
      1. 2
        
        whjms 2 years ago | link
        
        I think that’s a chrome-specific extension. You might also want to take a look at console.table and a bunch of other nifty extensions.
        
        4
        
        inactive-user 2 years ago | link
        
        It works in FF too! And anyways, the console is now a standardized1 API. Non-standard stuff will soon either be washed away, or be standardized.
        
        2
        
        kel 2 years ago | link
        
        I was aware of console.table; %c, however, has a nice big red TODO: process %c in the living standard @awal posted below haha
  2. 2
    
    flyingfisch 2 years ago | link
    
    How is this a bad type of attack? What kind of compromise could happen from knowing the devtools are open?
    1. 6
      
      inactive-user 2 years ago | link
      
      It just adds to the client-side JS obfuscation toolkit. One could detect if devtools are opened and clear all dom and state to make it harder for end-user to check what is happening. Obviously, like all other obfuscation techniques this is also not fool-proof at all. It is not a break-through at all :)
      1. 2
        
        flyingfisch 2 years ago | link
        
        Gotcha, and yeah, agreed. :)
3

orib 2 years ago | link

Amusingly, the text only changes when I’m holding down the resize handle on the devtools window. It seems that the speed difference from merely having devtools open on Mac Chrome isn’t enough to trigger this.
2

kghose 2 years ago | link

On Chrome on Mac, after I close the console the text does not change back.
1. 2
  
  inactive-user 2 years ago | link
  
  Oh, thanks for the report. if only I had a mac to debug properly :(
  
  I’d still see what could be wrong.

pilkch edited 2 years ago | link

function on_devtools_open()
{
  hide_all_images();
}