We've always known that using DevTools was a criminal activity. In fact, the sheer number of people using them places this at criminal conspiracy levels. Better start filing those RICO cases against the browser devs. /s
The US Government has a STIG (Security Technical Implementation Guide [1], a government-proprietary term for "IT policy") that requires that you disable Dev Tools in IE [2], Edge [3] and Chrome[4]. Their justification (from [1]):
> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed
I can think of at least one legitimate reason to block the dev console. There are these posts I've seen over the years that say to "press the hotkey to open the Javascript console, and paste this Javascript blob" (obviously in much more persuading terms) to get a discount on RayBands or something. Disabling it prevents a possible information leak vector.
There's a legitimate reason for doing _almost anything_ - it's a question of likelihood, impact, and knock-on effects.
I can only imagine how much taxpayer money has been set on fire by developers having to debug single-page applications running on these systems without the aid of Dev Tools... these types of material wastages are created in an imperfect attempt to prevent the mere possibility of something that could be more effectively mitigated through training and web content filtering.
I've never seen one in the wild, thought it would be interesting to see what they want you to paste into the console, probably something to transmit them your session token. I know Facebook has a huge warning about it when you open devtools on their site.
Yeah - they added that warning because of these precise things. I haven't kept one around but I've definitely seen them since I fell for it many, many years ago.
This seems really lazy. Duh, it's gov't, but I'm talking about the attacker. If they can use JS to gather all of that info to display in the console hoping to get a user to read it back to them or whatever, why not just save it all and submit back via ajax?
why does it have to be exclusive? If both are false, then there's no confusion on making a charge. If only one is true, then someone being lazy might think it matches.
along your lines of considering the forum, wouldn't it need to be aiding && abetting? i don't know how to bitwise compare aiding to abetting.
"The Governor is in possession of software on his personal computer that allows him to decrypt the personal details of thousands of constituents who may have voted for or against him."
But, the fact is the state was using "encryption" with such a level of security that pressing one button on any computer with a browser is all that is required to defeat it.
> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed
I wish I were making this up.
[1] https://en.wikipedia.org/wiki/Security_Technical_Implementat...
[2] https://stigviewer.com/stig/microsoft_internet_explorer_11/2...
[3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/fi...
[4] https://www.stigviewer.com/stig/google_chrome_current_window...