Facebook monitors your alert() usage
Thursday, 16. July 2009, 13:31:28
facebook, quirks
If you use a bookmarklet on Facebook and it calls window.alert(), it doesn't quite do what you expect. They've re-defined the entire alert() method - it will pop up a box, but it will also behind the scenes send what you tried to pop up to the server!?! Look at Facebook's alert code (shown in an appropriate setting, of course):
Since I routinely use alert() for debugging, should I be paranoid now?
I really wonder what this feature is intended for and whether they actually harvest this data and use it for anything.
dbloom # 16. July 2009, 14:37
fearphage # 16. July 2009, 14:52
Originally posted by hallvors:
You could use dragonfly, no? It has a command-line like firefbug. Any reason you don't use that?Chas4 # 16. July 2009, 15:32
Anonymous # 16. July 2009, 15:45
It might be to track malicious code / phishers. That's still pretty creepy.
d.i.z. # 16. July 2009, 15:53
Originally posted by Chas4:
Execute native alert.
Anonymous # 16. July 2009, 15:56
If you're writing a bookmarklet, just do:
delete window.alert;
This will remove their implementation and you are free to call alert() as before without them capturing it.
Anonymous # 16. July 2009, 16:21
The biggest problem Facebook faces is malicious and spammy apps that degrade the service.
JS is a huge attack vector for spammy sites. It makes sense that they would a) allow alerts but b) monitor.
Trust but verify, as Reagan used to say.
Anonymous # 16. July 2009, 16:50
question to you the inventor of this "phisher" or whichever your small brain conjures up,..is how far do you want to take this..with our tools we can trace your location easily..and neutralize your stupidity...which way do you want to take this..think....G.GRP300
hallvors # 16. July 2009, 17:14
Originally posted by fearphage:
Well, I did use Dragonfly until the weird thing I was debugging claimed to run out of memory and stopped connecting to it :-p
Even though Dragonfly is quite sweet by now, window.alert() boots up a bit faster, don't you think? For some small debug tasks it's still a good tool
Anonymous # 16. July 2009, 18:11
if DF was like firebug - ie. always active and NO reload of pages, then alerts would be obsolete..
but well, it isnt. when it will behave like firebug?
Anonymous # 16. July 2009, 18:12
no. i hate windows alert. It gives you that annoying system bell designed to tell you that you are using the computer like a retard.
Anonymous # 16. July 2009, 18:39
Alert() is a lousy way to debug, since it changes page focus-- it'll fire off blur handlers.
Anonymous # 16. July 2009, 19:24
maybe they use it for hard errors
maybe they track it to know if they're in trouble
hallvors # 16. July 2009, 20:43
Originally posted by anonymous:
Change your browser.. or sound settings
As always: choose the right tool for the job. Dragonfly or Firebug or window.alert().
Anonymous # 16. July 2009, 22:36
this is probably to catch XSS holes early. one of the first thing many XSS crackers test with is an alert() - it tells them right away if they've found a place they can execute javascript. then they can continue on with their actual maliciousness. of course this would only catch the most unsophisticated ones, but that would certainly be useful.
Anonymous # 17. July 2009, 02:56
I think the purpose of this Facebook code is pretty clear. It has nothing to do with stopping your bookmarklets from working. This makes it painfully obvious that Facebook developers tend to use alert() in their debugging. I'm sure that in their development environment, these are popping up everywhere. My suspicion is that this code is inserted when the site is pushed live to ensure that no ugly alerts get displayed to the user. Instead, they're logging the debug information back to their servers so they can track any issues in production. It's a bit of a sideways attempt at the JavaScript error logging process that I typically recommend, but it does kill two birds with one stone.
Anonymous # 17. July 2009, 03:27
I can confirm this is an XSS detection technique. When I was actively working at finding exploits of Facebook's application platform (see http://stuff.mit.edu/iap/2008/facebook/ for details) one of the first ones I found got me a PM from one of their security team people encouraging me to look for any further exploits I could find. It took me a little time to figure out this was how they were doing it (I was also sending them to some @facebook.com address, so it wasn't clear whether they were getting them in that manner or not), but it was pretty cool when it became clear what they were doing. I've seen this basic trick documented a few different places since then, and I imagine it's a fairly common thing to do these days on most security-conscious websites.
hallvors # 17. July 2009, 10:54
sigbjornfinne # 20. July 2009, 04:59
Perhaps this is a last-line-of-defense for the alert() usages that FBJS doesn't manage to rewrite/elide from script sources? FB platform devs will hopefully shed some (real) light on why.
Anonymous # 20. July 2009, 11:46
Sneaky.
Here's a bit of User JS to prevent alert() from being modified, and to report modification attempts. It can be circumvented, though, if the site really wants to.
(function() {
var orgAlert = alert;
// Save the original 'alert' before any script has been able to
// alter it.
window.__defineSetter_alert;
} catch (e) {
opera.postError(e);
orgAlert(e);
};
});
window.__defineGetter_alert # 20. July 2009, 11:53
Hmm... apparently the Opera Blog has the same bug as the Opera Forum (DSK-258593). Here is my posting again, with some work-around spaces.
Sneaky.
Here's a bit of User JS to prevent alert() from being modified, and to report modification attempts. It can be circumvented, though, if the site really wants to.
(function() {
var orgAlert = alert;
// Save the original 'alert' before any script has been able to
// alter it.
window.__defineSetter__( "alert", function(val) {
var trace;
// Throwing and catching an error so that we have a stack trace.
try {
throw new Error("Attempt to modify alert\n");
} catch (e) {
opera.postError(e);
orgAlert(e);
};
});
window.__defineGetter__( "alert", function() {
return orgAlert;
});
})();
Strangely enough, this has the side effect that when you enter javascript:alert('foo') in the URL bar, a "type mismatch" error is raised, but if you enter javascript:var a = alert; a('foo') , it works. That sounds like a bug in Opera.
Anonymous # 21. July 2009, 14:01
Facebook is a load of shit anyway do not use
Anonymous # 10. August 2009, 05:25
I'm like..like crazry
Nofta # 14. October 2009, 09:47
How to use Quote function:
Write a comment