If people read of a "h4x0r trick to read their bf/gf private messages", they will execute it. And hey, "it has this l33t keyboard shortcut that will make a strange window pop up, it must be what the hackers in the movies use!!". And then "Oh well, thanks to this friend of mine for sharing this cool trick that gives me the stuff to paste there, I would not know how to use it!". And finally "Booooo, Facebook sucks, my account got hacked".

I remember of the internet making fun of a girl that believed to be enrolled in some secret police because she popped up the Dev console. Well, that is just normal people, not uncommon.

I trust that actual developer can find their way around blocks and warnings, that however raise the bar for social engineering.

    > fn = function(){ var key = "shhhhh" }
    > fn.toString()
    'function (){ var key = "shhhhh" }'

But it requires that the value is hardcoded inside the function. If it was given to an unreachable scope by some async action (like an ajax request) this trick wouldn't work.

One could possibly also wrap the function in an native .bind call to change the output of toString() to [native code]

It's better to assume the console has 100% root (client-side) privileges.

http://stackoverflow.com/a/16048707/73681

    document.getElementsByTagName('script')[0].innerText

- just download this file to see your gf private messages. ok, lets remove download from the browser (actually, ios did this)

- just run this long string in the address bar to see whatever. ok, let prevent javascript: schema in url bar (actually, android stock browser did this)

anyway you go at it, is ineffective. the only solution is to educate. trying to prevent idiots from harming themselves will just lead to annoyance to the non-idiots and more sophisticated attacks until you cant prevent them.

people who implement those dumb thing disgusts me. your comment disgusted me.

Exactly. The more things you do to restrict users so "it's safer for them", the more reckless and stupid they'll become - "because $security_feature will protect me" - and they won't ever learn anything. On the other hand, if we give them the freedom to make mistakes, those that do will learn from them. Instead of trying to block "self-XSS" or telling everyone "don't listen to anyone telling you to paste something into the URL bar", we should be encouraging them with "if you don't know what it does or don't trust the one who told you to do that, then don't do it - or find out what it really does." That last part is particularly important, since it encourages curiosity and that motivates learning.

I understand that many people would just want to use something and not want to learn all that much, but I feel we should also not be encouraging this "lack of thought" mentality either.

Also if you want to learn how to do it right, look at Mozilla. They mostly do the right thing. E.g. telling user and in extreme cases making him wait a very short time before accepting something that may be dangerous.

    In Comments
    
    Be civil.

There's no way to make a system really secure and as you point out there is no way to "prevent idiots from harming themselves". What you do is stopping common/easy vectors and raising the effort bar/reducing conversions for the attacker.

If we require that a guy to use his computer learns how its threat model works, we failed as a industry.

And to address your points: users know that downloaded files are evil and Chrome warns about that. The javascript schema is mitigated by Chrome - if you copy-paste the initial "javascript:" is cut out. I'd love to know the other 998 to open discussions about them.

Note about the use of the word idiots: more of people who are not tech-savvy; you might be an idiot in this meaning for one or more of: electricians, mechanics, doctors...

It seems that users were being duped in to running malicious scripts that gave attackers control of their accounts. Sure, Facebook could be evil and not offer the option to re-enable the console and I'm sure other sites will do exactly that until browser makers prevent it, but at this time, Facebook is not being evil. I'm not sure about Netflix.

If people are being successfully duped in to running malicious scripts this way, perhaps browser developers should put a first-run warning on the dev tools saying that running code there supplied by a third-party is dangerous.

How does that even make sense given that Facebook clearly gives the opt-out link which is easy to use, and works? I don't believe for a second that you aren't being completely cynical.

The opt-out is there to boil the frog until they can remove it in the guise of "security". I also agree with bsamuels that it provides a convenient CFAA lever to hit in the event you do run a script they don't like. ("They had to deliberately bypass our 'protection' to paste the javascript into the console!")

Asking targets to first go to the account->security settings to disable the option named "Allow my account to be hijacked if I paste malicious JavaScript", and then to paste this JavaScript, seems to me to be quite clearly less effective than the simpler "paste this JavaScript".

Furthermore I strongly suspect that compromised accounts cause more harm to Facebook's bottom line than users who are exporting their address books. Millions lost every quarter due to fraud vs... what, exactly?

Rather, it makes more sense for them to add it so that if someone does debug their site, it gives Netflix a legal precedent to press charges against them for hacking their site by bypassing a security system.

These companies lose more money to fraud in a quarter than they have ever lost due to people exporting their movie ratings, or whatever other non-criminal acts people have been committing at the console. I don't understand why we need to posit a 2nd (more sinister) motivation.

It's like those tacky trailers at the start of a movie "pirating movies is illegal". First question the judge asks - what steps did you do to prevent pirating and when did you notify your customers.