1

I have looked at every answer on this page as well as links and nothing seems to work I have a variable score which I can still change using the console so I need to fix that How does Facebook disable the browser's integrated Developer Tools?

Does anybody know a clear cut way to disable user using the console?

FYI this seems to be a popular answer i put this in as is and still nothing

(function() {
    try {
        var $_console$$ = console;
        Object.defineProperty(window, "console", {
            get: function() {
                if ($_console$$._commandLineAPI)
                    throw "Sorry, for security reasons, the script console is deactivated on netflix.com";
                return $_console$$
            },
            set: function($val$$) {
                $_console$$ = $val$$
            }
        })
    } catch ($ignore$$) {
    }
})();
Community
  • 1
  • 1
  • 1
    You're not going to be able to avoid people replacing a score value with their own value. It's just not possible. If this is for a game, the only way you can have safe score values is to run the entire game on the server and only allow the client to provide to the server input that they could otherwise achieve by normal means with the keyboard etc. – Marty Jun 23 '16 at 02:20
  • It is possible facebook,netflix,instagram,google they have all been able to do it –  Jun 23 '16 at 02:21
  • 1
    What do you do with the score? Send it to a server somewhere when you're done? How are you going to prevent tampering at that point? – Marty Jun 23 '16 at 02:22
  • Does this answer help: http://stackoverflow.com/questions/7533590/declaring-protected-variable-in-javascript – marblegravy Jun 23 '16 at 02:22
  • sorry it doesnt @marblegravy –  Jun 23 '16 at 02:25
  • The score(changed to money now) is submitted to a server once every 10secs and nothing is done at the point if its not a top score basically its a leaderboard type thing but since there are real money prizes given out to the top 3 leaders every week its really important that the console be disabled –  Jun 23 '16 at 02:26
  • @JoséphFlames = right, and how will you stop someone writing a browser plugin that allows the changing of scores? (assuming you're successfully able to block console access) – enhzflep Jun 23 '16 at 02:28
  • Once the console is disabled I can write a program that alters every request from my machine to your server so that the score is increased. – Marty Jun 23 '16 at 02:28
  • 1
    You might want to re-read the answers in the link you posted in your question. Alf's answer explains why the _commandLineAPI approach no longer works. – RJM Jun 23 '16 at 02:29
  • well @Marty I highly doubt people playing games are that technically inclined or willing to go through the trouble for a few kreds on thier acct so its not a huge concern but atm im trying to eliminate what issues i can and currently the console is one –  Jun 23 '16 at 02:31
  • I think you're underestimating how many 14 year old wizards there are (the target audience of a browser based game) these days that will pick your "security" apart in under 60 seconds. – Marty Jun 23 '16 at 02:32
  • It doesn't seem that facebook has managed to disable the console. I just went to fb in chrome, and I can open the console and execute code just fine. – RJM Jun 23 '16 at 02:33
  • Just believe me when I say with 100% certainty that they only only way to avoid tampering with the scores is to run the game on your server. That way the score is never available to the client in the first place. – Marty Jun 23 '16 at 02:34
  • The game and the API are written in javascript :/ –  Jun 23 '16 at 02:34
  • 1
    [Node](https://nodejs.org/en/) uses JavaScript, so that's perfect. – Marty Jun 23 '16 at 02:39
  • 2
    @JoséphFlames The general rule is that anything that must be tamper-proof must be done on the server, not the client. Even if you can block the console, someone could just use a `curl` command to send a message to your server with bogus data. – Barmar Jun 23 '16 at 02:45
  • @Marty - that program has already been written....you can do that with Fiddler. http://stackoverflow.com/questions/28326215/how-to-modify-a-request-in-fiddler – RJM Jun 23 '16 at 02:46
  • @JoséphFlames Did you bother reading the answer you linked to? They explain that the technique they used has since been disabled in Chrome. – Barmar Jun 23 '16 at 02:46
  • 1
    To quote from that answer: *The Chrome team decided that defeating the console from user-side JS was a bug and fixed the issue, rendering this technique invalid.* – Barmar Jun 23 '16 at 02:47
  • 1
    I just checked both Facebook and Netflix to determine the voracity of your claim. Neither Facebook nor Netflix block access to the developer tools in the current version of chrome. Facebook does output some log messages as a warning to potential users, but the console is still functional. Any security of data is being performed server side, not client side, as has been mentioned multiple times here. – Claies Jun 23 '16 at 05:46

0 Answers0