I'm not accusing the author of doing this, but providing a simple base64 encoded blob at the end to run to enable everything would be a pretty easy attack vector, wouldn't it?
For those to lazy to run base64 --decode, here's the result:
// Here's a cake if you thought about inspecting the code before executing it:
let css = 'font-size: 36px; font-weight: bold; color: red';
console.log("%cNEVER paste code you don't understand into the development console.", css);
console.log("%cThis is the best way to compromise your account.", css);
Wow, I had zero idea you could use string substitution for formatting console.log messages. (Although I guess if I'd stopped and thought about it, there had to be something enabling those big scary messages in the console for certain websites...)
> NEVER paste code you don't understand into the development console
Tech companies have long achieved security by simply locking people out of choices that they shouldn't make.
I'm suspecting that Google will soon lock people out of Chrome's developer tools unless they can prove they are a developer (with a certificate that's tied to the website they are debugging)
// Here's a cake if you thought about inspecting the code before executing it:
let css = 'font-size: 36px; font-weight: bold; color: red';
console.log("%cNEVER paste code you don't understand into the development console.", css); console.log("%cThis is the best way to compromise your account.", css);