[HN Gopher] Tell HN: MailChimp blacklists your IP if you open th...
___________________________________________________________________
Tell HN: MailChimp blacklists your IP if you open the browser's dev
tools
Anyone else noticing this while editing an email? It seems just
crazy.
Author : pupppet
Score : 456 points
Date : 2023-03-20 17:56 UTC (5 hours ago)
| djbusby wrote:
| When you open devtools, by default it will try to load source
| code maps for your JS and CSS.
|
| Very simple for a system to detect the request for the map file.
|
| If that's their vector turn off the autoloader and try from a
| clean IP.
| chatmasta wrote:
| Similarly, here are some techniques for debugger detection [0].
| I've seen some crypto mining malware in the wild that did this
| to make deobfuscation more difficult.
|
| [0] https://x-c3ll.github.io/posts/javascript-antidebugging/
| bilekas wrote:
| This is interesting as for a hackathon i was thinking of ways
| to identify this behavior too.
|
| The source map requests was a more successful option. Also
| played around with "snap" resize but it was too agressive.
|
| As for whatever the reason MailChimp would block your up is
| pretty ridiculous.
| status200 wrote:
| I can only imagine the amount of security pressure they feel
| since they are basically a backdoor into easily stealing one
| or more company identities once you pass the 2FA, with full
| address books of customers that will trust emails deployed
| through MC campaigns and blindly click on links in the emails
| sent out, so I am guessing they err on the side of caution
| and have tons of false positives instead of letting anything
| pass through or disrupt.
| zamadatix wrote:
| Interesting to note. In Firefox "show original sources" seems
| to be enabled by default but in Chrome at least the settings
| checkbox is labeled "Allow DevTools to load resources, such as
| source maps, from remote file paths. Disabled by default for
| security reasons" and unchecked for me. Haven't checked Safari
| to see what its behavior is.
| djbusby wrote:
| Hmm, I'm on Chrome 111 on Linux and there are two boxes for
| loading maps - one for JS and one for CSS.
|
| Could yours be a Windows Group Policy from $WORK?
| zamadatix wrote:
| I have 3 boxes: "Enable JavaScript source maps", "Enable
| CSS source maps", and "Allow DevTools to load resources,
| such as source maps, from remote file paths. Disabled by
| default for security reasons". The first 2 are checked but
| without the 3rd trying to load source maps doesn't seem to
| do anything unless I have them locally. It's very possible
| I'm just testing it wrong, I don't use source maps often.
| It's also very possible Firefox does something similar and
| I'm just overlooking the option/behavior there.
| djbusby wrote:
| Our Chrome are the same - and load the maps by default.
| iudqnolq wrote:
| Unfortunately console.log(foo) calls foo.toString() if and only
| if the console is open, and there is no way to disable this in
| Chrome or Firefox.
|
| Edit: You can redefine console.log to be a noop, but that's
| also detectable.
| joeframbach wrote:
| Theoretically you could also write a bookmarklet that could
| inspect or modify globals. Or a greasemonkey script.
| iudqnolq wrote:
| You could also fork Chrome.
| quickthrower2 wrote:
| You could also fuck Mailchimp
| pupppet wrote:
| I had to use their silly drag-and-drop email builder because I'm
| handing the email off to be edited by a non-dev. I dropped in a
| "Code" module so I could add some custom CSS but because a style
| tag generates no space, that module is no longer accessible via
| the UI as there's nothing to click on. So I thought oh brother
| I'll just inject a couple br tags via the Inspector and then
| poof, I'm in the doghouse.
| temp12192021 wrote:
| https://sindresorhus.com/devtools-detect/
|
| https://github.com/sindresorhus/devtools-detect
|
| EDIT: doesn't seem to work if I have devtools as a separate
| window
| kxrm wrote:
| I just turned on responsive mode in Firefox to fool it.
| Definitely not reliable.
| lewisl9029 wrote:
| Vertical tabs in Edge seems to trigger false positives on
| this. Really hope that's not the only heuristic they're
| using.
| ajot wrote:
| Same goes for Sidebery in Firefox, but then it changes to
| "no" if I do open the Dev Tools. As a non web-dev, this
| behaviour is truly weird.
| Nullabillity wrote:
| Tree Style Tab is apparently detected as vertical dev tools,
| and opening the horizontal dev tools _changes it to no_. This
| is kind of hilarious.
| deathanatos wrote:
| ... that incorrectly detects devtools as open, when it isn't
| (false positive), and fails to detect devtools when it is
| open in a separate window (false negative)...
|
| Yeah, as other posters hint at, vertical tabs. But it isn't
| just vertical tabs that'll trigger it, _any_ sidebar will,
| including native /vanilla ones; AFAICT it's just looking at
| the client area being less than the window by some threshold.
| wolpoli wrote:
| It detects Microsoft Edge's Sidebar too, which opens on
| hover. It's going to create a lot of false positives.
| riz_ wrote:
| False positive in the Arc browser, no devtools open.
| Retr0id wrote:
| Rather than it being dev tools itself, I think it's more likely
| that your injected <br> tags got POSTed to an API endpoint (or
| similar) in unescaped format, and were categorised by a WAF as
| attempted XSS. It's common for WAFs to block you for this kind
| of thing, unfortunately.
|
| Still ridiculous, but not quite the same thing as being banned
| for opening dev tools (of course, I am also speculating here, I
| guess we'd need to hear from mailchimp to be sure).
| pupppet wrote:
| Actually just opening the dev tools triggers it. The
| blacklist seems to expire on its own so I went ahead and
| opened the dev tools and did nothing more, reloaded, blocked.
| dylan604 wrote:
| This is interesting as something I've never thought about.
| What signaling to the server does the browser do when
| devtools are opened, and I guess I have to ask why is it
| signaling to the server anything at all if it is?
|
| Edit: i see that people have replied with answers to this
| further down the page
| [deleted]
| justinclift wrote:
| Hopefully it doesn't have a "lets permanently ban this
| repeat offender" thing. (!)
| breakingrules wrote:
| after a few weeks inside their api, sounds like a solution
| intuit's developers would come up with.
| mandeepj wrote:
| So, use Tor browser or a VPN tunnel!
| eminent101 wrote:
| Isn't this spying on the user without user's consent? Me opening
| dev tools to view the source is a private activity. Is it okay to
| collect this kind of info and use it to block access? Are there
| no regulations against this?
| AlchemistCamp wrote:
| If it were a "private activity", they wouldn't know you did it.
| If your computer sends requests to their server about it, then
| it's not really fair of you to expect them not to be aware of
| it.
| eminent101 wrote:
| Does the computer really send requests to their server when I
| open dev tools? I checked and I couldn't find any request
| that was sent from Firefox or Chrome when I opened dev tools.
|
| Aren't they using a JavaScript based detection mechanism like
| listening for browser events on the client side or latching
| on to debugger to pull this information? Sounds to me like
| they are going out of their way to pull private information
| from my system that I or my system or my browser had no
| intention of sharing with them.
| jibe wrote:
| Check your console instead of the network tab - it will
| load css.map and js.map files. I never noticed until now,
| but .map requests don't show in the network requests.
| javajosh wrote:
| _> Isn 't this spying on the user without user's consent?_
|
| Yes.
|
| _> Is it okay to collect this kind of info and use it to block
| access?_
|
| No. It's not okay.
|
| _> Are there no regulations against this?_
|
| Probably not. In this case the remedy is to just use another
| service, or DIY. And I also think that's a pretty reasonable
| remedy, which will send a message to others considering such
| actions.
|
| FWIW I would like to see regulations around intrusive spying on
| client machines via the browser or any other path. Ideally we'd
| get new, specific legislation around it. Something might also
| be done at the executive level at the FCC. Legislation is
| unlikely because of America's current flirtation with 3rd world
| style politics.
|
| In terms of advocacy, I would assume that the EFF is of a
| similar view. Other human rights groups would be supportive of
| such measures, since in addition to protecting consumers, they
| protect journalists and their sources as well. The people
| against will be state security services and all businesses
| powered by a targeted ad engine.
| JohnBooty wrote:
| I'm not defending MailChimp (this devtools thing is pretty
| awful) but "just DIY it" is a bit glib. DIY'ing what
| MailChimp provides is... a lot.
|
| I wrote a sort of "DIY MailChimp" for a marketer back in the
| ancient days of the early 2000s. I did the tracking and email
| content bits.
|
| I did not handle the email servers themselves. Lot of work
| staying off of blacklists. It was something close to a
| fulltime job back then, and from what folks have told me it
| might be more like multiple fulltime jobs these days. Lots of
| anti-spam regulations to adhere to, and one or two false
| steps and you're going to wind up in an absolute hell where
| other email providers (Yahoo, Gmail, whoever) are not going
| to talk to your servers.
|
| Also need to figure out email templates that render
| consistently across webmail providers and browsers and mail
| clients. That is also a loooot.
|
| Making a consumer-friendly UI like Mailchimp is another
| massive task, but I guess you can skip that for your "DIY"
| solution.
|
| Again, I'm not defending Mailchimp. I hope I never have to
| dip my toes into this area again. It is hell.
| javajosh wrote:
| The users of mailchimp don't need to make another
| mailchimp. They just need to handle their own email needs.
| That's a big difference. It's still not easy, and I would
| never be glib about it, especially since I've never run my
| own mail server on my own domain name before.
|
| But...several full-time jobs? How much mail do you need to
| send before postfix on a $5 VPS falls over? In terms of
| composing html mail that looks good, that would take some
| time to learn. A day to get something passable, especially
| with LLM help? As for tracking, I am against image/pixel
| tracking in emails, I think it undermines trust, so I
| wouldn't implement it (or use it).
| kxrm wrote:
| > But...several full-time jobs?
|
| I think it depends on how important delivery is to your
| business. If your business team expects near 100%
| delivery and they want all the tracking features that
| give them insight into their promotional campaigns, then
| running email promotions on your own is quite a steep
| hill to climb.
|
| I run my own MTA on my own domain and only use it for
| verification purposes and I still have to fight with the
| free email providers every few weeks. It's definitely not
| a full-time job but I also have the joy of just not
| caring if a user doesn't get an email from my system.
|
| A agree with you somewhat that people reach for mass mail
| services too quickly sometimes but I also understand the
| perspective of engineers who have things like deadlines
| and other work to do where if I have the choice of
| working on truly new things to help grow the business I
| work for or handling email logistics, I know where I will
| point the my company.
| karaterobot wrote:
| I don't know how they're doing it, but I assume they're using
| data given to them by your browser, e.g. measuring the
| difference in height/width between the window and the viewport.
| Either that, or (as someone upthread suggested) they're reading
| a request your browser sends for mapping files, which would
| again be information you provided. If anything, I guess your
| browser is the one spying on you, by providing this
| information. But, realistically, I don't think it counts as
| spying either way. Hostile behavior on Mailchimp's part, yes.
| Dumb idea, yes.
| xkcd1963 wrote:
| Hackers are always three steps ahead, whats the point?
| ravenstine wrote:
| I was thinking the same thing. If I was intent on using the dev
| tools for who knows what with MailChimp, it would merely be a
| roadblock. I might even be more compelled to achieve my goal
| just to defeat their bullshit.
|
| Not that I would ever use MailChimp.
| taf2 wrote:
| Fascinating I encourage customers to use the dev tools to
| discover and see how to work with our apis
| yakubin wrote:
| That's unfortunate. My muscle memory sometimes makes me open
| DevTools even unintentionally when I try to copy text and press
| Ctrl+Shift+C.
| schappim wrote:
| This is problematic.
|
| We had to contact Mailchimp on March 7th regarding their flawed
| implementation of CKEditor.
|
| To demonstrate the issue, we sent them a screencast[1] (in the
| video we opened dev tools).
|
| We requested and were provided with a refund. Per my other
| comment on this thread. The content of the request was created
| using GPT (although the prompt history is not available, it can
| be reverse engineered).
|
| The email sent and reply to the email are available[2].
|
| I'm adding this comment to highlight the very reasonable fair use
| of opening up dev tools to try to workout what is going on.
|
| [1] https://files.littlebird.com.au/Screen-
| Recording-2023-03-08-...
|
| [2] https://files.littlebird.com.au/Screen-
| Shot-2023-03-21-at-8....
| 1970-01-01 wrote:
| https://mailchimp.com/about/security/#Protecting_Ourselves_A...
|
| >Yes, you heard that correctly. We can secure ourselves like Fort
| Knox, but if your computer gets compromised and someone gets into
| your Mailchimp account, that's not good for either of us.
|
| So mailchimp is SOC2, ISO, PCI, etc. and still gets worried about
| themselves if a _user_ account is hacked.
| dylan604 wrote:
| reading further down that page...
|
| "We retain a law firm in the UK to consult on EU privacy
| issues."
|
| wouldn't it be better to retain a law firm that's actually in
| the EU? hiring a UK law firm for EU matters is no different
| that hiring a US law firm, or AUS, or whatever non-EU country
| jkaplowitz wrote:
| While that is true in the sense that the UK is no longer in
| the EU, I don't believe UK law has yet diverged from EU law
| on any relevant privacy issues, so UK firms would still have
| significant experience in this area. A firm within the EU
| would be a better choice, I agree.
| NoboruWataya wrote:
| Also, a lot of international companies will just retain an
| international law firm headquartered in the UK for
| everything. That law firm will have offices all over the
| world, including in several EU jurisdictions, that they
| will outsource to when necessary to advise on EU legal
| issues.
| pxeger1 wrote:
| The UK is subject to the UK GDPR, which has no material
| differences to the EU GDPR. There are probably some other
| differences, but the UK is much better than USA or Australia
| etc. (Although I'm surprised there aren't USA-based law firms
| which specialise in European privacy laws, because of their
| impact on tech companies)
| pupppet wrote:
| Just an update, it's definitely triggered by the act of looking
| for JavaScript source maps. If I disable that in Chrome I can use
| developer tools without issue.
| adamsb6 wrote:
| Mail... kimp?
| crad wrote:
| Should try out AWeber.com </shameless-plug>
| Kiro wrote:
| Can anyone else than pupppet confirm this?
| amyjess wrote:
| This is worrying since I have accidently opened dev tools
| hundreds of times by clicking both mouse buttons when my cursor
| is near the bottom of the screen.
|
| I have a tic disorder (not Tourette's, because my tics are all
| nonverbal). One of my tics is that I mash both mouse buttons over
| empty space pretty frequently. I even go out of my way to keep my
| cursor positioned over empty space so I can mash the mouse
| buttons when I need to, and it's not uncommon for me to move the
| cursor while mashing the buttons. If the cursor is towards the
| bottom of the screen, that's pretty much guaranteed to open dev
| tools, since all it takes is a small motion of the cursor with
| the right-click menu open to hit the 'Inspect' option.
| barbs wrote:
| I wonder if there's a plugin that could remove the context menu
| entry.
| millzlane wrote:
| May not need one for firefox. Disable
| devtools.inspector.enabled in about:config.
| millzlane wrote:
| It's incredibly easy to do on a MB pro with a touch bar if you
| keep the function keys visible and tap the minus key with an
| open and relaxed hand. I preface my notes with -- and == so I
| do it fairly often.
| myself248 wrote:
| Likewise I hit F12 all the damn time because I'm aiming for the
| Home key, which is undersized on my keyboard, and they're right
| next to each other.
|
| Great, now I need to wait 8 seconds while my browser re-renders
| some 40-meg page which could've been plain text.
|
| On the other hand, if I ever think about using MailChimp to
| send spam, I hope someone would just come cut my hands off,
| then I won't need to care about hitting the wrong keys.
| sam0x17 wrote:
| I regularly instruct users to open dev tools to clear their
| site-specific cookies because there doesn't seem to be a way of
| doing this without clearing _all_ cookies anymore other than in
| Dev Tools > Application
| [deleted]
| 0x0000000 wrote:
| Not sure what browser you're referring to, but Firefox still
| allows you to clear site-specific cookies by clicking on the
| button to the left of the URL (usually a lock icon since most
| things are https these days)
| leephillips wrote:
| Vivaldi, too; so, I guess, Chrome?
| Stratoscope wrote:
| The same thing works in Chrome and Edge too.
|
| You can also do it in Settings: type "cookies" in the
| search box and it will list both an option to clear all
| data and an option for site-specific data.
| eternityforest wrote:
| This is why I despise gestural focused computing. Of all the
| features in any software, I think my least favorite is pull-to-
| refresh.
|
| I suspect that would be easy to solve with smarter context
| menus that could ignore clicks likely to be accidental, since
| "Accidentally clicking the thing that just popped up before you
| even see it" is a common ish mistake worth implementing
| workarounds for.
| serf wrote:
| >I even go out of my way to keep my cursor positioned over
| empty space so I can mash the mouse buttons when I need to
|
| I have severe and sporadic clonus in my mousin' arm. I do
| exactly the same thing when I need to keep my hand on the
| mouse.
|
| Another thing that I have done off-and-on to accomodate certain
| software is to have my keyboard or mouse 'toggled' off and on
| with an autohotkey (or equivalent) script. If I need to rest or
| wait for something with my hands on the hardware then I toggle
| the thing off with an easy-to-reach hotkey of some sort until
| i'm ready to _actually_ type /mouse.
| trasz3 wrote:
| Company in spam sending business does other unethical things, how
| surprising.
| yawnxyz wrote:
| Whoa I've done it many times on MailChimp to correct my
| newsletters.
|
| Sooner or later I'll end up on their blacklist. Ugh.
| DueDilligence wrote:
| [dead]
| klabb3 wrote:
| Couple thoughts:
|
| 1. Correctly designed dev tools shouldn't be detectable from the
| app itself, especially not if the tools are passively used for
| observing. This can be abused by malicious actors who can make it
| harder to detect and warn others. It can also cause heisenbugs.
|
| 2. One if those malicious actors is apparently Mailchimp. I don't
| use it so I'm not affected. But from a meta-perspective it's
| concerning when direct user-hostile actions are normalized by
| what most people consider "legit companies". The same could be
| said about fingerprinting and many other tricks.
|
| 3. Meta-meta point: if you're running a business that does this,
| the open web is not for you. You don't belong, and you should try
| building your own proprietary stack instead. I don't mind wolves,
| but please stop dressing in sheep clothing. There's a paradox of
| tolerance at play here.
| aendruk wrote:
| Reminds me of my experiences with UnitedHealthcare's website. If
| I try to log in with Firefox + uBO I get mysterious permissions
| errors and "something went wrong" messages for the next few
| hours, even after switching browsers. Use Chromium from the
| beginning though and it's smooth sailing. And of course their
| "tech" support is beyond useless about this.
| hirundo wrote:
| That website only works on Chrome for me, it doesn't let me
| login on Brave ... which is a flavor of Chromium, right?
| throwway120385 wrote:
| UHC is one of my poster children for how you can structure a
| corporation to completely absolve both parties of any
| responsibility for anything.
| lotsofpulp wrote:
| Lots of websites make me disable content blockers on Safari
| too, or even not let me use Safari (maybe because of Apple's
| Private Relay?).
|
| The part I do not understand is even websites that verify you
| via 2FA do this, so I assume their goal is to track you no
| matter what.
| akira2501 wrote:
| In the general case, I assume it's mostly just bad coding
| practices, and developers not testing how their site performs
| with an ad or cookie blocker active.
| 1123581321 wrote:
| That's an anticompetitive move. If you need to switch senders for
| some reason, the inspector is the only clean way to get an
| email's HTML into another ESP.
| rvnx wrote:
| Could it be that MailChimp consider this move (copying their
| HTML template used with your e-mail content) to be copyright
| infringement ?
| htag wrote:
| Is that true?
|
| An email client like Thunderbird or Mail will save a copy of
| the email on your local hard drive, which will include the
| HTML. This isn't something I do regularly, but would be first
| first response if I needed to see the HTML of an email. Maybe
| Mailchimp has protections against this route too?
| 1123581321 wrote:
| Yes, it's true. You don't want all the chrome from the actual
| send around the body of your email because the other ESP will
| be providing that. You might also want to prevent certain
| fields and links from converting into the send versions. But
| in a pinch, sure, you could slice the body out of a copy in
| Thunderbird.
| ben174 wrote:
| Can you just view the RAW email body after it's sent?
| tobr wrote:
| Makes no sense. If you're considering switching to a different
| provider, getting blocked makes it impossible to continue to
| use the service?
| 1123581321 wrote:
| Yes it does. Say you're an agency sending email on behalf of
| several different organizations. If you export one to send
| through CampaignMonitor (usually list or domain approval
| related), the employee who pulled the HTML gets their hand
| slapped by the IP ban. It's less likely to happen next time
| with a different campaign or different client. I haven't
| actually experienced the IP ban but I've sent for the same
| organization through multiple ESPs without quitting one for
| good.
|
| Even if you are a single organization user and leaving for
| good, you might do so gradually or perform test sends first.
| Speaking from experience again.
| quickthrower2 wrote:
| Tampermonkey
| srejk wrote:
| If it's detecting resize/sidebar, does the new "Search Google for
| foo" sidebar window trigger it too?
| runlevel1 wrote:
| Sure does!
|
| Give it a try: https://sindresorhus.com/devtools-detect/
|
| For some reason it failed to flag it for one of my attempts,
| but it consistently flagged it for all the others.
| moduspol wrote:
| It's pretty common as an account hijacking vector, right?
|
| Hackers tell non-techies to paste things into the console, which
| can then share cookies or access tokens with the attacker.
|
| Obviously the browser is "owned" by the client, so a sufficiently
| motivated techie could bypass this any number of ways. But it
| prevents some number of non-techies from security issues.
| is_true wrote:
| In that case you take Facebook 's route and show a message when
| you open the console.
| ars wrote:
| You can print debug messages to the console to warn people. The
| website has no idea if they opened it or not.
|
| But here, it seems they are detecting if the window is resized!
| That's just crazy.
| kull wrote:
| I am using dev tools when editing templates in mailchimp
| interface code editor. Did not get banned yet.
| schappim wrote:
| I used ChatGPT to get a refund from Mailchimp when their CKText
| editor failed to load on International Women's Day, preventing us
| from sending an email promotion that day.
|
| I opened the web inspector to show the library erroring when
| Mailchimp tried out a to load it, and also provided a screencast.
|
| I wasn't blocked, but I did receive a refund.
|
| So this must be a relatively new thing!
|
| If I were the OP, I would complain and request a refund.
| xkcd1963 wrote:
| I don't understand why those strange people at hackernews
| downvoted you. I guess using ChatGPT makes them scared.
| benatkin wrote:
| It's a nice story but missing some details that the sibling
| comment to yours requested.
|
| I can haz prompt pls schappim?
| schappim wrote:
| I have added the output. Don't have exact prompt, but you
| could reverse engineer it. Eg:
| https://files.littlebird.com.au/Screen-
| Shot-2023-03-21-08-34...
| benatkin wrote:
| Thanks! That's even better haha.
| UberFly wrote:
| He meant ChadGPT. I guess some people aren't ready for the
| New Jersey bro AI shakedown.
| robertlagrant wrote:
| ChadGPT, give me a arms-only workout pep talk in the style
| of David Goggins to maximise my grindset.
| schappim wrote:
| For the folks are that are asking for the prompt, I'm afraid
| conversation history is not working at the moment. I can
| however provide you with the output: We
| experienced a technical issue with Mailchimp's editor in
| production, which unfortunately prevented us from editing our
| campaign before the deadline. Our team used Chrome Version
| 110.0.5481.177 (Official Build) (arm64), but the editor kept
| failing to function properly. As a result, we
| suffered a significant financial loss due to missing the
| campaign deadline. In light of these circumstances, we kindly
| request a refund for our monthly fees, especially considering
| the recent fee increase. To provide evidence of
| the issue, we have included a video showcasing the broken
| Mailchimp editor and the corresponding JavaScript error from
| the text editor (ckeditor). The video is available here:
| https:/[URL to screen capture].mov We appreciate
| your assistance in resolving this matter and ensuring we
| receive the refund we are entitled to.
|
| Asking GPT to reverse engineer the prompt:
| https://files.littlebird.com.au/Screen-Shot-2023-03-21-08-34...
|
| Further information: This interaction took place on March 7th
| (Sydney time).
| skinnymuch wrote:
| What do you ask chatgpt to get the necessary text to send
| schappim wrote:
| Sorry, don't have original, but you can reverse engineer it:
| https://files.littlebird.com.au/Screen-
| Shot-2023-03-21-08-34...
| brianbest101 wrote:
| [dead]
| lastangryman wrote:
| Like those right-click pop ups you used to get to prevent you
| copying images. We've come full circle. Only this time it's a
| large profitable company rather than some random Geocities page.
| omgomgomgomg wrote:
| How is this detected in js, if possible?
|
| Is there a dev tools open event or does it detect f keys and
| right click events?
| sphars wrote:
| One of the ways this is detected is by window resizing. You can
| see an example npm package that can detect devtools here:
| https://github.com/sindresorhus/devtools-detect
| zzo38computer wrote:
| Like they say there, there are other reasons that the window
| might be resized, including other sidebars, or split screen
| (if you use a browser that has this feature), or possibly
| even printing the document (since the page will have
| different dimensions than the screen), or resizing the window
| if you have other programs open at the same time, etc.
|
| I had wanted to prevent web pages from detecting the window
| height, which has many benefits, including this but also
| prevents using the window height to override font sizes,
| preventing auto-loading on scrolling, and auto-scrolling ads
| into view, in addition to the debugger.
|
| Additionally, detecting the outer window size should not be
| possible at all; it is not useful. Only the document view
| area is useful to detect anyways.
| Animats wrote:
| Can this be used to make MailChimp stop sending spam to an
| address?
| contravariant wrote:
| No, but you can quite easily make it unusable from a certain IP
| address apparently.
| davidjfelix wrote:
| No, that's their business model.
| somat wrote:
| I have seen websites that leave a few "debugger" keywords in the
| code and then use timing code to detect if you have the dev tools
| open. that is, if it takes too long to get to a check point, as
| in a person had to click resume, you know the debugger is open.
| It is very crude method but I guess was the best they came up
| with.
|
| On firefox the easy way to get around this is by disabling
| breakpoints, the harder way is a userscript.
| 255kb wrote:
| This also happened to me a while ago after testing a form
| multiple times. My IP for banned for several hours. Horrendous
| user experience.
| 1970-01-01 wrote:
| So can I block mailchimp spam by signing-up and opening my
| browser dev toolkit? Does this hack work both ways?
| supriyo-biswas wrote:
| Are you seeing any network requests or data transmitted over open
| websockets to confirm this is actually the case?
|
| I get it that people like to complain about stuff on HN (I
| recently had a thread too) but there needs to be evidence for
| people to go off of.
| pupppet wrote:
| Open the inspector, reload the page and you'll see:
|
| "Request Blocked
|
| We blocked your request because the IP address you're using
| looks suspicious. This issue will usually resolve itself after
| a short period of time, and you can try your request again. You
| can also try using a different IP address to see if that
| resolves the issue.
|
| If you need additional help, you can try one of these support
| options.
|
| Reference Number: #####"
| supriyo-biswas wrote:
| Thank you for the description. I assume they're using a bot
| management script which is set to block requests if devtools
| is open. For such websites, opening devtools in a separate
| window should work.
|
| Some websites will try to throw you into a loop of debugger
| statements if they detect devtools being opened, which is
| harder to work around, but it doesn't seem to be the case
| here.
| Workaccount2 wrote:
| Is there an extension or workaround that prevents sites
| from knowing you opened devtools (without breaking
| everything else on the site)?
| Boltgolt wrote:
| Disabling javascript breakpoints usually does the trick.
| Devtools detection is often done by having a `debugger;`
| statement somewhere and timing of it triggered
| runlevel1 wrote:
| A lot of them dynamically generate new anonymous
| functions to get around this. Last I looked (~1 year ago
| I think) neither Chrome nor Firefox supported disabling
| the keyword completely. Do you know if that's changed?
| tenplusfive wrote:
| On Firefox its in the Debugger Tab of the DevTools. On
| the top right you can deactivate all breakpoints (which
| includes the debugger statement).
|
| There is a similar button on chrome, but I am not sure if
| that also applies to the debugger statement.
| nadaviv wrote:
| It might be harder to detect if you open it as a separate
| window instead of docking it to the bottom/side of the
| window.
| 535188B17C93743 wrote:
| Yeah, I'm not seeing any evidence to support this...
| sosborn wrote:
| Do you have a Mailchimp account? It's really easy to test. It
| happened to me a couple of weeks ago and I can easily
| reproduce it in different network locations.
| jibe wrote:
| I got banned for hitting the back button. Their heuristics for
| blocking are shit. I'm literally logged in working on my list,
| hit back, and bang, banned. No weird plugins, no vpn, not even
| sending email.
| humaniania wrote:
| Probably because from their side that behavior looks no
| different from certain types of attacks that they are familiar
| with and are actively working to block?
| cyral wrote:
| Wow, so this is why I've been having trouble getting Mailchimp to
| load lately. As a developer I often have devtools open for
| whatever I'm working on. If need to help out marketing with an
| automation or something, using the same tab, I get banned for the
| day.
| acuozzo wrote:
| This SO post is a bit old now, so I'd verify before proceeding,
| but it looks like having devtools open in a separate window will
| enable you to circumvent the check.
|
| https://stackoverflow.com/questions/40153206/detect-if-conso...
| ars wrote:
| Or have it open before you visit the page. Assuming they are
| detecting a resize.
|
| But if they really detect a resize, anyone who actually does
| resize their page will be blocked as well.
|
| Doing that seems a bit insane to me.
| mh- wrote:
| it's been some years, but I think it's still possible to
| detect the viewport resize without a corresponding window
| resize, so the 'docked' DevTools can be inferred distinct
| from a resizing of the window.
| iso1631 wrote:
| enable/disable a menu or toolbar then. Not sure what full
| screen would do either
| iudqnolq wrote:
| Almost everyone resizes windows by manually dragging the
| corner. This will generate a series of resize events rather
| than a single jump. This is a real technique, but it tends to
| be used by shady piracy sites that want to stop piracy of
| their pirated contents.
|
| There's another cute approach based on the fact
| console.log(foo) calls foo.toString if and only if the
| devtools is open.
| kevincox wrote:
| I could open the history or bookmarks panel in Firefox and
| get an instant resize. Or click <Super>+<Left> to snap the
| browser to the side of my screen.
|
| It seems that this would create far too many false
| positives.
| iudqnolq wrote:
| That's why this is used by a particular subset of
| websites only. They pirate tv shows and movies, and then
| pack the screen with ads. They don't care at all about
| user inconvenience or loyalty. The answer to "your
| website breaks when I do x" would be "stop doing x", if
| they even had a customer support team. Some of them
| disable every browser other than chrome on the grounds
| that users of "weird" browsers are more likely to be
| "hackers".
| 0cf8612b2e1e wrote:
| Well that is poopy. Is there a way I can "stealth" open dev tools
| on all sites? I like to see network requests in a lot of places,
| but don't like to think the server will change their responses
| based on my local actions.
| cpmsmith wrote:
| There are a couple of ways they can try to detect devtools
| being opened. As the sibling comment implies, the most popular
| way is to detect a sudden viewport resize, and you can avoid
| that by ensuring your devtools are set to open in a new window
| _before_ opening them.
|
| The only other ways I'm aware of are:
|
| - Detecting the keyboard shortcut, [?][?]i or equivalent, which
| you can avoid by using the browser menu, and
|
| - More riskily, evaluating a `debugger` statement and detecting
| whether evaluation paused. I'm not sure you could do anything
| about this one, but it would certainly be obvious to you
| whether it was happening.
| btdmaster wrote:
| In firefox, you can disable `debugger` by deactivating all
| breakpoints, making `debugger` a noop.
|
| Toggle the thing in the dotted rectangle: https://firefox-
| source-docs.mozilla.org/devtools-user/debugg...
| simonmales wrote:
| Make it open in a separate window.
| ars wrote:
| How can they tell that you opened dev tools?
| xnx wrote:
| I believe there are multiple techniques. One of them is
| detecting an abrupt decrease in the viewport size.
| arbol wrote:
| So ctrl/CMD left/right to move your window to one half of the
| screen might block you!? XD
| birdman3131 wrote:
| People elsewhere in the thread seemed to imply that if
| Viewport size != window size dev tools is likely opened.
| zamadatix wrote:
| That would create far too many false positives. The common
| way is to detect if window.innerWidth changed by a minimum
| threshold but window.outerWidth did not. The limitations of
| the method are built in sidebars (such as on Edge with the
| sidebar and search sidebar) could trigger it as well if
| your minimum width is not wide enough while on the other
| hand if your minimum width is too wide you won't catch the
| dev tools opening. The method is also limited in that
| undocked dev tools will not register a triggering change.
| rezonant wrote:
| As others have mentioned, you can simply put in a sourcemap
| entry in your JS, and when the browser requests that URL (which
| happens when Devtools opens to prepare for showing original
| sources), ban the IP.
| doubleorseven wrote:
| You create this pseudo function:
|
| 1. setTimeout to call an endpoint that will block your ip. It's
| set to run in 2 seconds from now. 2. Insert: debugger; 3. Clear
| the timeout.
|
| Now you run this function as an interval. If the devtools is
| closed, debugger will be ignored and the call to this endpoint
| will never happen. But if it's open, the debugger will stop and
| the timeout will fire. Not sure if you need to patch SetTimeout
| to continue running while you stop but I hope you get the
| general idea
| runlevel1 wrote:
| Overview of techniques used to detect/block dev tools and some
| ways to circumvent them (2021):
| https://www.usenix.org/system/files/sec21-musch.pdf
|
| If that's actually what's happened here, that's a real dick move.
|
| Disclosure: I formerly worked at SendGrid
| pictur wrote:
| I don't want to believe they are that stupid. Why would a
| platform heavily used by developers make such an idiot? This is
| so funny right now. The most absurd security measure I've ever
| seen
| neilv wrote:
| Would be funny if it were a corporate reaction to a security
| researcher contacting them about some silly web API design (e.g.,
| endpoint taking an arbitrary account ID without authorization
| check).
|
| In the writeup, the researcher illustrates by copying the service
| URL from the browser's dev tools. And so the obvious corporate
| corrective action is...
| scosman wrote:
| Mailchimp previously cranked up pricing on their Mandrill product
| dramatically, with minimal warning, no opt in, and unsympathetic
| tone from C-suite.
|
| Mailchimp is pretty hostile to developers. I don't recommend
| using them after that experience.
| eclipticplane wrote:
| I'm convinced at this point they are trying to slowly tank
| Mandrill to get people to stop using it.
|
| Tons of downtime, worsening delivery problems, no active
| development -- or support even -- for years, worse pricing, ...
| GTP wrote:
| How can they detect that?
| dariusj18 wrote:
| I wondered why I kept getting blocked. I accidentally open dev
| tools all the time
___________________________________________________________________
(page generated 2023-03-20 23:01 UTC)