Browser developer tools are super-handy, allowing you to do all sorts of wonderful things to the sites you visit. All good things, of course. But, through social engineering, these tools can be used for evil. Turns out this was enough of problem for Facebook to stick a very visible warning in the website’s source code.
Seeing the message yourself is easy (as was intended). In Chrome, just right-click anywhere on a Facebook page and select “Inspect”, while Firefox users should click “Inspect Element”. If you’re worried about security, it also works when you’re logged out. Then, select the “Console” tab in the window that pops up.
Here’s the warning in Chrome:
If you can’t see the images, basically, the word “Stop!” in giant letters (red in Chrome, ASCII in Firefox) and this warning are sent to the console:
This is a browser feature intended for developers. If someone told you to copy and paste something here to enable a Facebook feature or “hack” someone’s account, it is a scam and will give them access to your Facebook account.
There’s also a link to Facebook’s help centre that explains how exactly developer tools can be used to hack your account or scam you.
It’s called “Self-XSS”, because you essentially hack yourself:
A Self-XSS scam on Facebook tricks you into compromising your account by claiming to provide a way to log into someone else’s Facebook account, or some other kind of reward, after pasting a special code or link into your web browser. You might see this message on a friend’s timeline after their own account was compromised by the scammer. Never click a link on Facebook that goes to a website you don’t know and trust.
Of course, the code doesn’t do what it promises, usually compromising your Facebook account — or worse. Warnings such as this are a clever way to save people from screwing themselves over.
Chrome's Developer Tools are great for diagnosing or fixing problems with websites — even if you're not a web developer. That said, you don't need to know how to do everything with the browser's tools, but there are a couple of useful tricks that are good to know.Read more
What is a Self-XSS scam? [Facebook]