Vote Charlie!

Facebook tries to preempt ‘self-XSS’ scams

Posted at age 26.
Edited .

The other day I noticed Facebook has a nice little message in the developer console to warn people they might be about to fall victim to a scam.



Hopping over to the linked page and “What do Self-XSS scams look like?”, there was just some basic information, including this slightly condescending blurb:

JavaScript is a programming language used on most websites. The console lets developers test new features and change the content of pages. Most people will probably never need to use their browser’s console so if you’re asked to do so, it may be a scam.

After a quick search, it seems Facebook has been trying various console related strategies over the past year, including temporarily blocking some users from entering commands in the console, until the Chrome team decided allowing a website to do that was a bug. So now they are back to just displaying the message.

Interesting stuff!

Here’s the message in text format:

 .d8888b.  888                       888    
d88P  Y88b 888                       888    
Y88b.      888                       888    This is a browser feature intended for 
 "Y888b.   888888  .d88b.  88888b.   888    developers. If someone told you to copy-paste 
    "Y88b. 888    d88""88b 888 "88b  888    something here to enable a Facebook feature 
      "888 888    888  888 888  888  Y8P    or "hack" someone's account, it is a 
Y88b  d88P Y88b.  Y88..88P 888 d88P         scam and will give them access to your 
 "Y8888P"   "Y888  "Y88P"  88888P"   888    Facebook account.

For more information, see