Facebook tries to preempt ‘self-XSS’ scams
The other day I noticed Facebook has a nice little message in the developer console to warn people they might be about to fall victim to a scam.
Hopping over to the linked page and “What do Self-XSS scams look like?”, there was just some basic information, including this slightly condescending blurb:
JavaScript is a programming language used on most websites. The console lets developers test new features and change the content of pages. Most people will probably never need to use their browser’s console so if you’re asked to do so, it may be a scam.
After a quick search, it seems Facebook has been trying various console related strategies over the past year, including temporarily blocking some users from entering commands in the console, until the Chrome team decided allowing a website to do that was a bug. So now they are back to just displaying the message.
Interesting stuff!
Here’s the message in text format:
.d8888b. 888 888
d88P Y88b 888 888
Y88b. 888 888 This is a browser feature intended for
"Y888b. 888888 .d88b. 88888b. 888 developers. If someone told you to copy-paste
"Y88b. 888 d88""88b 888 "88b 888 something here to enable a Facebook feature
"888 888 888 888 888 888 Y8P or "hack" someone's account, it is a
Y88b d88P Y88b. Y88..88P 888 d88P scam and will give them access to your
"Y8888P" "Y888 "Y88P" 88888P" 888 Facebook account.
888
888
888
For more information, see https://www.facebook.com/selfxss.