I had to use their silly drag-and-drop email builder because I'm handing the email off to be edited by a non-dev. I dropped in a "Code" module so I could add some custom CSS but because a style tag generates no space, that module is no longer accessible via the UI as there's nothing to click on. So I thought oh brother I'll just inject a couple br tags via the Inspector and then poof, I'm in the doghouse.
Rather than it being dev tools itself, I think it's more likely that your injected <br> tags got POSTed to an API endpoint (or similar) in unescaped format, and were categorised by a WAF as attempted XSS. It's common for WAFs to block you for this kind of thing, unfortunately.
Still ridiculous, but not quite the same thing as being banned for opening dev tools (of course, I am also speculating here, I guess we'd need to hear from mailchimp to be sure).
Actually just opening the dev tools triggers it. The blacklist seems to expire on its own so I went ahead and opened the dev tools and did nothing more, reloaded, blocked.
This is interesting as something I've never thought about. What signaling to the server does the browser do when devtools are opened, and I guess I have to ask why is it signaling to the server anything at all if it is?
Edit: i see that people have replied with answers to this further down the page
Wow, that code is entirely unreliable. It just detects your browser's viewport being outside of some threshold of a "normal" aspect ratio and then just blindly assumes that means the devtools are open. The only devtool it can actually detect is Firebug. Everything else is nothing but a blind guess based on the size of your viewport. I'd be astonished if anyone used this code for anything serious.
That person churns out a staggering amount of code so it’s not a surprise I guess that the bit about “does this code actually work” is probably lower on the list of concerns
… that incorrectly detects devtools as open, when it isn't (false positive), and fails to detect devtools when it is open in a separate window (false negative)…
Yeah, as other posters hint at, vertical tabs. But it isn't just vertical tabs that'll trigger it, any sidebar will, including native/vanilla ones; AFAICT it's just looking at the client area being less than the window by some threshold.
Looking at the code[0], it just defines an aspect ratio threshold (170px in either direction, on line 13) for your browser's viewport and triggers if it's outside of that on width or height. So when you open a second panel, your viewport goes back to being closer to 16:9/16:10 and the tool considers that within both thresholds.
The detection is hilariously primitive, entirely unreliable, and only knows about your devtools directly if you're using Firebug.
It only detects if there is a block in the browser that does not serve as website rendering. Since I use Tree Tab on side panel of Firefox, this plugin will believe I have opened devtools all the time.
Edit: it will think I closed devtools when I really open devtools. I start to wonder how shitty the code is.
Yeah I thought it would be a weird oversight on MC's part to make you jump through hoops just to insert a style tag but it completely disappeared from the UI. The effect from my CSS was still there so I know it was still on the page...somewhere.
This is worrying since I have accidently opened dev tools hundreds of times by clicking both mouse buttons when my cursor is near the bottom of the screen.
I have a tic disorder (not Tourette's, because my tics are all nonverbal). One of my tics is that I mash both mouse buttons over empty space pretty frequently. I even go out of my way to keep my cursor positioned over empty space so I can mash the mouse buttons when I need to, and it's not uncommon for me to move the cursor while mashing the buttons. If the cursor is towards the bottom of the screen, that's pretty much guaranteed to open dev tools, since all it takes is a small motion of the cursor with the right-click menu open to hit the 'Inspect' option.
This is why I despise gestural focused computing. Of all the features in any software, I think my least favorite is pull-to-refresh.
I suspect that would be easy to solve with smarter context menus that could ignore clicks likely to be accidental, since "Accidentally clicking the thing that just popped up before you even see it" is a common ish mistake worth implementing workarounds for.
>I even go out of my way to keep my cursor positioned over empty space so I can mash the mouse buttons when I need to
I have severe and sporadic clonus in my mousin' arm. I do exactly the same thing when I need to keep my hand on the mouse.
Another thing that I have done off-and-on to accomodate certain software is to have my keyboard or mouse 'toggled' off and on with an autohotkey (or equivalent) script. If I need to rest or wait for something with my hands on the hardware then I toggle the thing off with an easy-to-reach hotkey of some sort until i'm ready to actually type/mouse.
Likewise I hit F12 all the damn time because I'm aiming for the Home key, which is undersized on my keyboard, and they're right next to each other.
Great, now I need to wait 8 seconds while my browser re-renders some 40-meg page which could've been plain text.
On the other hand, if I ever think about using MailChimp to send spam, I hope someone would just come cut my hands off, then I won't need to care about hitting the wrong keys.
Reminds me of my habit of scrolling the mouse wheel above nonresponsive parts of the UI. I wore out the scrollwheel of my last mouse. Though I never thought of it as a tic, even though I have various tics myself. Doesn't open dev tools but it makes YouTube's Shorts feature absolutely unusable because the slightest scroll input will cause a switch to another video.
I regularly instruct users to open dev tools to clear their site-specific cookies because there doesn't seem to be a way of doing this without clearing _all_ cookies anymore other than in Dev Tools > Application
Not sure what browser you're referring to, but Firefox still allows you to clear site-specific cookies by clicking on the button to the left of the URL (usually a lock icon since most things are https these days)
You can also do it in Settings: type "cookies" in the search box and it will list both an option to clear all data and an option for site-specific data.
It's incredibly easy to do on a MB pro with a touch bar if you keep the function keys visible and tap the minus key with an open and relaxed hand. I preface my notes with -- and == so I do it fairly often.
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
Why did you omit the immediately visible listing of three different tic disorders in your source?
Three tic disorders are included in the DSM-5:
- Tourette syndrome (TS, sometimes called Tourette disorder)
- Persistent (sometimes called chronic) motor or vocal tic disorder
- Provisional tic disorder
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
> * have two or more motor tics (for example, blinking or shrugging the shoulders) and at least one vocal tic (for example, humming, clearing the throat, or yelling out a word or phrase), although they might not always happen at the same time.
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
If someone says they have a disorder that isn’t Tourette’s but is a bit like Tourette’s I just can’t fathom why someone with no other knowledge of the situation would be intent on somehow “proving them wrong” and establishing that it is Tourette’s.
The link you posted establishes that Tourette’s is a tic disorder. The person says they have a tic disorder that isn’t Tourette’s. I’m perfectly happy to take them at their word about that.
This is not true, at least in Chrome. I've tried with an object with the `toString` property set, and tried with a function with an updated prototype. In both cases, Chrome just...displays the object.
I stopped using them years ago for other reasons. We're talking about how to do research into their fuckery here, I'm not suggesting it's sane to fork a browser to make a company's crapware work.
I mean, okay, I can see how they definitely have a use. But to try and auto-fetch js and css maps just because I want to have a look at the DOM?
Why not wait until I actually try looking at js/css? Or even until I ask to see the source map?
Prefetching never feels right to me. Even though I know GET requests are supposed to be side-effect free and idempotent (and if they're not, that's a choice by the server devs and they'd better have covered all the edge cases where clients correctly act as if they are...), it has the architectural equivalent of a "code smell" to my nose.
Interesting to note. In Firefox "show original sources" seems to be enabled by default but in Chrome at least the settings checkbox is labeled "Allow DevTools to load resources, such as source maps, from remote file paths. Disabled by default for security reasons" and unchecked for me. Haven't checked Safari to see what its behavior is.
I have 3 boxes: "Enable JavaScript source maps", "Enable CSS source maps", and "Allow DevTools to load resources, such as source maps, from remote file paths. Disabled by default for security reasons". The first 2 are checked but without the 3rd trying to load source maps doesn't seem to do anything unless I have them locally. It's very possible I'm just testing it wrong, I don't use source maps often. It's also very possible Firefox does something similar and I'm just overlooking the option/behavior there.
Similarly, here are some techniques for debugger detection [0]. I've seen some crypto mining malware in the wild that did this to make deobfuscation more difficult.
I can only imagine the amount of security pressure they feel since they are basically a backdoor into easily stealing one or more company identities once you pass the 2FA, with full address books of customers that will trust emails deployed through MC campaigns and blindly click on links in the emails sent out, so I am guessing they err on the side of caution and have tons of false positives instead of letting anything pass through or disrupt.
Reminds me of my experiences with UnitedHealthcare’s website. If I try to log in with Firefox + uBO I get mysterious permissions errors and “something went wrong” messages for the next few hours, even after switching browsers. Use Chromium from the beginning though and it’s smooth sailing. And of course their “tech” support is beyond useless about this.
In the general case, I assume it's mostly just bad coding practices, and developers not testing how their site performs with an ad or cookie blocker active.
You're assuming the webdevs have authority to make the site "backwards compatible" with those who use adblockers. If revenue comes from ads, why would management give the green light?
That's an anticompetitive move. If you need to switch senders for some reason, the inspector is the only clean way to get an email's HTML into another ESP.
An email client like Thunderbird or Mail will save a copy of the email on your local hard drive, which will include the HTML. This isn't something I do regularly, but would be first first response if I needed to see the HTML of an email. Maybe Mailchimp has protections against this route too?
Yes, it's true. You don't want all the chrome from the actual send around the body of your email because the other ESP will be providing that. You might also want to prevent certain fields and links from converting into the send versions. But in a pinch, sure, you could slice the body out of a copy in Thunderbird.
Yes it does. Say you're an agency sending email on behalf of several different organizations. If you export one to send through CampaignMonitor (usually list or domain approval related), the employee who pulled the HTML gets their hand slapped by the IP ban. It's less likely to happen next time with a different campaign or different client. I haven't actually experienced the IP ban but I've sent for the same organization through multiple ESPs without quitting one for good.
Even if you are a single organization user and leaving for good, you might do so gradually or perform test sends first. Speaking from experience again.
Wow, so this is why I've been having trouble getting Mailchimp to load lately. As a developer I often have devtools open for whatever I'm working on. If need to help out marketing with an automation or something, using the same tab, I get banned for the day.
We had to contact Mailchimp on March 7th regarding their flawed implementation of CKEditor.
To demonstrate the issue, we sent them a screencast[1] (in the video we opened dev tools).
We requested and were provided with a refund. Per my other comment on this thread. The content of the request was created using GPT (although the prompt history is not available, it can be reverse engineered).
The email sent and reply to the email are available[2].
I'm adding this comment to highlight the very reasonable fair use of opening up dev tools to try to workout what is going on.
Would be funny if it were a corporate reaction to a security researcher contacting them about some silly web API design (e.g., endpoint taking an arbitrary account ID without authorization check).
In the writeup, the researcher illustrates by copying the service URL from the browser's dev tools. And so the obvious corporate corrective action is...
I got banned for hitting the back button. Their heuristics for blocking are shit. I’m literally logged in working on my list, hit back, and bang, banned. No weird plugins, no vpn, not even sending email.
Probably because from their side that behavior looks no different from certain types of attacks that they are familiar with and are actively working to block?
This SO post is a bit old now, so I'd verify before proceeding, but it looks like having devtools open in a separate window will enable you to circumvent the check.
it's been some years, but I think it's still possible to detect the viewport resize without a corresponding window resize, so the 'docked' DevTools can be inferred distinct from a resizing of the window.
That is exactly what ends up happening when you detect a viewport resize without a window resize and immediately assume it's the devtools. A user opens their bookmark sidebar and gets blacklisted, because the code simply assumes what's happened.
Almost everyone resizes windows by manually dragging the corner. This will generate a series of resize events rather than a single jump. This is a real technique, but it tends to be used by shady piracy sites that want to stop piracy of their pirated contents.
There's another cute approach based on the fact console.log(foo) calls foo.toString if and only if the devtools is open.
I could open the history or bookmarks panel in Firefox and get an instant resize. Or click <Super>+<Left> to snap the browser to the side of my screen.
It seems that this would create far too many false positives.
That's why this is used by a particular subset of websites only. They pirate tv shows and movies, and then pack the screen with ads. They don't care at all about user inconvenience or loyalty. The answer to "your website breaks when I do x" would be "stop doing x", if they even had a customer support team. Some of them disable every browser other than chrome on the grounds that users of "weird" browsers are more likely to be "hackers".
i signed up for a test account for a POC i'm developing, went through the whole rigamarole of setting up spf and dkim and all of that, successfully used their API and... nothing. no delivery of any email to my own domain. no response from support, since i haven't paid yet i guess.
seems like they want to eject their more sophisticated dev customers. guess i can't blame them, but why bother, just shut the damn thing down instead of wasting everyone's time.
>Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Mailchimp account, that's not good for either of us.
So mailchimp is SOC2, ISO, PCI, etc. and still gets worried about themselves if a user account is hacked.
Not defending their actions in this particular case, but yes, I think it is completely reasonable for a service like MailChimp to be concerned about unauthorized use of user accounts. If someone takes over a MailChimp account, it is almost certainly to send spam/fraud type stuff, which causes harm to MailChimp in various ways.
Compliance with those standards doesn't mean they aren't potentially impacted by that sort of thing, and doing what they can to detect and mitigate unauthorized user account usages is part of at least a few of them.
"We retain a law firm in the UK to consult on EU privacy issues."
wouldn't it be better to retain a law firm that's actually in the EU? hiring a UK law firm for EU matters is no different that hiring a US law firm, or AUS, or whatever non-EU country
While that is true in the sense that the UK is no longer in the EU, I don't believe UK law has yet diverged from EU law on any relevant privacy issues, so UK firms would still have significant experience in this area. A firm within the EU would be a better choice, I agree.
Also, a lot of international companies will just retain an international law firm headquartered in the UK for everything. That law firm will have offices all over the world, including in several EU jurisdictions, that they will outsource to when necessary to advise on EU legal issues.
The UK is subject to the UK GDPR, which has no material differences to the EU GDPR. There are probably some other differences, but the UK is much better than USA or Australia etc. (Although I'm surprised there aren't USA-based law firms which specialise in European privacy laws, because of their impact on tech companies)
yeah, but the people that work with the UK law firm probably go to the UK to have meetings just so they can update their out-of-office replies with "i'll be away for meetings in the UK for...blahblahblah" just so they look cooler than the schmucks that have meetings across town. so that's why they choose non-local talent, just for their egos.
or, maybe i'm confusing them with ad agency types that i've worked with in the past and i'm just projecting one ego industry to another?
I used ChatGPT to get a refund from Mailchimp when their CKText editor failed to load on International Women's Day, preventing us from sending an email promotion that day.
I opened the web inspector to show the library erroring when Mailchimp tried out a to load it, and also provided a screencast.
I wasn't blocked, but I did receive a refund.
So this must be a relatively new thing!
If I were the OP, I would complain and request a refund.
For the folks are that are asking for the prompt, I'm afraid conversation history is not working at the moment. I can however provide you with the output:
We experienced a technical issue with Mailchimp's editor in production, which unfortunately prevented us from editing our campaign before the deadline. Our team used Chrome Version 110.0.5481.177 (Official Build) (arm64), but the editor kept failing to function properly.
As a result, we suffered a significant financial loss due to missing the campaign deadline. In light of these circumstances, we kindly request a refund for our monthly fees, especially considering the recent fee increase.
To provide evidence of the issue, we have included a video showcasing the broken Mailchimp editor and the corresponding JavaScript error from the text editor (ckeditor). The video is available here: https:/[URL to screen capture].mov
We appreciate your assistance in resolving this matter and ensuring we receive the refund we are entitled to.
Isn't this spying on the user without user's consent? Me opening dev tools to view the source is a private activity. Is it okay to collect this kind of info and use it to block access? Are there no regulations against this?
> Isn't this spying on the user without user's consent?
Yes.
> Is it okay to collect this kind of info and use it to block access?
No. It's not okay.
> Are there no regulations against this?
Probably not.
In this case the remedy is to just use another service, or DIY.
And I also think that's a pretty reasonable remedy, which will send a message to others considering such actions.
FWIW I would like to see regulations around intrusive spying on client machines via the browser or any other path.
Ideally we'd get new, specific legislation around it.
Something might also be done at the executive level at the FCC.
Legislation is unlikely because of America's current flirtation with 3rd world style politics.
In terms of advocacy, I would assume that the EFF is of a similar view.
Other human rights groups would be supportive of such measures, since in addition to protecting consumers, they protect journalists and their sources as well.
The people against will be state security services and all businesses powered by a targeted ad engine.
I'm not defending MailChimp (this devtools thing is pretty awful) but "just DIY it" is a bit glib. DIY'ing what MailChimp provides is... a lot.
I wrote a sort of "DIY MailChimp" for a marketer back in the ancient days of the early 2000s. I did the tracking and email content bits.
I did not handle the email servers themselves. Lot of work staying off of blacklists. It was something close to a fulltime job back then, and from what folks have told me it might be more like multiple fulltime jobs these days. Lots of anti-spam regulations to adhere to, and one or two false steps and you're going to wind up in an absolute hell where other email providers (Yahoo, Gmail, whoever) are not going to talk to your servers.
Also need to figure out email templates that render consistently across webmail providers and browsers and mail clients. That is also a loooot.
Making a consumer-friendly UI like Mailchimp is another massive task, but I guess you can skip that for your "DIY" solution.
Again, I'm not defending Mailchimp. I hope I never have to dip my toes into this area again. It is hell.
The users of mailchimp don't need to make another mailchimp. They just need to handle their own email needs. That's a big difference. It's still not easy, and I would never be glib about it, especially since I've never run my own mail server on my own domain name before.
But...several full-time jobs? How much mail do you need to send before postfix on a $5 VPS falls over? In terms of composing html mail that looks good, that would take some time to learn. A day to get something passable, especially with LLM help? As for tracking, I am against image/pixel tracking in emails, I think it undermines trust, so I wouldn't implement it (or use it).
I think it depends on how important delivery is to your business. If your business team expects near 100% delivery and they want all the tracking features that give them insight into their promotional campaigns, then running email promotions on your own is quite a steep hill to climb.
I run my own MTA on my own domain and only use it for verification purposes and I still have to fight with the free email providers every few weeks. It's definitely not a full-time job but I also have the joy of just not caring if a user doesn't get an email from my system.
A agree with you somewhat that people reach for mass mail services too quickly sometimes but I also understand the perspective of engineers who have things like deadlines and other work to do where if I have the choice of working on truly new things to help grow the business I work for or handling email logistics, I know where I will point the my company.
It's not the amount of mail you send. Sending 1,000,000 emails is as easy as sending 1,000.
As I said though compliance with spam regulations will be a constant battle. If you don't care if e.g. Google blacklists you from gmail.com, cool. That makes things a lot easier.
The users of mailchimp don't need to make another mailchimp
Right. I said that I'm assuming you can skip the consumer-friendly UI bits.
However, I'm assuming you do at least want the analytic and tracking bits in this theoretical situation. Otherwise, why use something like Mailchimp in the first place? There are other ways to "just send mail." You choose Mailchimp for the extra bits.
If it were a "private activity", they wouldn't know you did it. If your computer sends requests to their server about it, then it's not really fair of you to expect them not to be aware of it.
Does the computer really send requests to their server when I open dev tools? I checked and I couldn't find any request that was sent from Firefox or Chrome when I opened dev tools.
Aren't they using a JavaScript based detection mechanism like listening for browser events on the client side or latching on to debugger to pull this information? Sounds to me like they are going out of their way to pull private information from my system that I or my system or my browser had no intention of sharing with them.
Check your console instead of the network tab - it will load css.map and js.map files. I never noticed until now, but .map requests don’t show in the network requests.
I don't know how they're doing it, but I assume they're using data given to them by your browser, e.g. measuring the difference in height/width between the window and the viewport. Either that, or (as someone upthread suggested) they're reading a request your browser sends for mapping files, which would again be information you provided. If anything, I guess your browser is the one spying on you, by providing this information. But, realistically, I don't think it counts as spying either way. Hostile behavior on Mailchimp's part, yes. Dumb idea, yes.
Open the inspector, reload the page and you'll see:
"Request Blocked
We blocked your request because the IP address you’re using looks suspicious. This issue will usually resolve itself after a short period of time, and you can try your request again. You can also try using a different IP address to see if that resolves the issue.
If you need additional help, you can try one of these support options.
Thank you for the description. I assume they're using a bot management script which is set to block requests if devtools is open. For such websites, opening devtools in a separate window should work.
Some websites will try to throw you into a loop of debugger statements if they detect devtools being opened, which is harder to work around, but it doesn't seem to be the case here.
Disabling javascript breakpoints usually does the trick. Devtools detection is often done by having a `debugger;` statement somewhere and timing of it triggered
A lot of them dynamically generate new anonymous functions to get around this. Last I looked (~1 year ago I think) neither Chrome nor Firefox supported disabling the keyword completely. Do you know if that's changed?
Do you have a Mailchimp account? It's really easy to test. It happened to me a couple of weeks ago and I can easily reproduce it in different network locations.
Just an update, it's definitely triggered by the act of looking for JavaScript source maps. If I disable that in Chrome I can use developer tools without issue.
1. Correctly designed dev tools shouldn’t be detectable from the app itself, especially not if the tools are passively used for observing. This can be abused by malicious actors who can make it harder to detect and warn others. It can also cause heisenbugs.
2. One if those malicious actors is apparently Mailchimp. I don’t use it so I’m not affected. But from a meta-perspective it’s concerning when direct user-hostile actions are normalized by what most people consider “legit companies”. The same could be said about fingerprinting and many other tricks.
3. Meta-meta point: if you’re running a business that does this, the open web is not for you. You don’t belong, and you should try building your own proprietary stack instead. I don’t mind wolves, but please stop dressing in sheep clothing. There’s a paradox of tolerance at play here.
Like those right-click pop ups you used to get to prevent you copying images. We've come full circle. Only this time it's a large profitable company rather than some random Geocities page.
I have seen websites that leave a few "debugger" keywords in the code and then use timing code to detect if you have the dev tools open. that is, if it takes too long to get to a check point, as in a person had to click resume, you know the debugger is open. It is very crude method but I guess was the best they came up with.
On firefox the easy way to get around this is by disabling breakpoints, the harder way is a userscript.
They may also just lock your account for ‘suspicious activity’ if you move office and want to update your address details. Good luck trying to get it back in reasonable time even when you send all the paperwork to prove what you were doing was not only legit but legally required. Took us three weeks to get our account back.
Like they say there, there are other reasons that the window might be resized, including other sidebars, or split screen (if you use a browser that has this feature), or possibly even printing the document (since the page will have different dimensions than the screen), or resizing the window if you have other programs open at the same time, etc.
I had wanted to prevent web pages from detecting the window height, which has many benefits, including this but also prevents using the window height to override font sizes, preventing auto-loading on scrolling, and auto-scrolling ads into view, in addition to the debugger.
Additionally, detecting the outer window size should not be possible at all; it is not useful. Only the document view area is useful to detect anyways.
Well that is poopy. Is there a way I can “stealth” open dev tools on all sites? I like to see network requests in a lot of places, but don’t like to think the server will change their responses based on my local actions.
There are a couple of ways they can try to detect devtools being opened. As the sibling comment implies, the most popular way is to detect a sudden viewport resize, and you can avoid that by ensuring your devtools are set to open in a new window before opening them.
The only other ways I'm aware of are:
- Detecting the keyboard shortcut, ⌘⌥i or equivalent, which you can avoid by using the browser menu, and
- More riskily, evaluating a `debugger` statement and detecting whether evaluation paused. I'm not sure you could do anything about this one, but it would certainly be obvious to you whether it was happening.
I think both Facebook and Discord do that. I know that the Discord webapp has a big warning along the lines of "copy pasting code here can lead to a compromised account" and then a message about "if you know what you are doing, come work for us".
I was thinking the same thing. If I was intent on using the dev tools for who knows what with MailChimp, it would merely be a roadblock. I might even be more compelled to achieve my goal just to defeat their bullshit.
I don't want to believe they are that stupid. Why would a platform heavily used by developers make such an idiot? This is so funny right now. The most absurd security measure I've ever seen
1. setTimeout to call an endpoint that will block your ip. It's set to run in 2 seconds from now.
2. Insert: debugger;
3. Clear the timeout.
Now you run this function as an interval.
If the devtools is closed, debugger will be ignored and the call to this endpoint will never happen. But if it's open, the debugger will stop and the timeout will fire.
Not sure if you need to patch
SetTimeout to continue running while you stop but I hope you get the general idea
As others have mentioned, you can simply put in a sourcemap entry in your JS, and when the browser requests that URL (which happens when Devtools opens to prepare for showing original sources), ban the IP.
That would create far too many false positives. The common way is to detect if window.innerWidth changed by a minimum threshold but window.outerWidth did not. The limitations of the method are built in sidebars (such as on Edge with the sidebar and search sidebar) could trigger it as well if your minimum width is not wide enough while on the other hand if your minimum width is too wide you won't catch the dev tools opening. The method is also limited in that undocked dev tools will not register a triggering change.
It's pretty common as an account hijacking vector, right?
Hackers tell non-techies to paste things into the console, which can then share cookies or access tokens with the attacker.
Obviously the browser is "owned" by the client, so a sufficiently motivated techie could bypass this any number of ways. But it prevents some number of non-techies from security issues.
Still ridiculous, but not quite the same thing as being banned for opening dev tools (of course, I am also speculating here, I guess we'd need to hear from mailchimp to be sure).
Edit: i see that people have replied with answers to this further down the page
https://github.com/sindresorhus/devtools-detect
EDIT: doesn't seem to work if I have devtools as a separate window
Yeah, as other posters hint at, vertical tabs. But it isn't just vertical tabs that'll trigger it, any sidebar will, including native/vanilla ones; AFAICT it's just looking at the client area being less than the window by some threshold.
The detection is hilariously primitive, entirely unreliable, and only knows about your devtools directly if you're using Firebug.
[0]: https://github.com/sindresorhus/devtools-detect/blob/main/in...
It only detects if there is a block in the browser that does not serve as website rendering. Since I use Tree Tab on side panel of Firefox, this plugin will believe I have opened devtools all the time.
Edit: it will think I closed devtools when I really open devtools. I start to wonder how shitty the code is.
I have a tic disorder (not Tourette's, because my tics are all nonverbal). One of my tics is that I mash both mouse buttons over empty space pretty frequently. I even go out of my way to keep my cursor positioned over empty space so I can mash the mouse buttons when I need to, and it's not uncommon for me to move the cursor while mashing the buttons. If the cursor is towards the bottom of the screen, that's pretty much guaranteed to open dev tools, since all it takes is a small motion of the cursor with the right-click menu open to hit the 'Inspect' option.
I suspect that would be easy to solve with smarter context menus that could ignore clicks likely to be accidental, since "Accidentally clicking the thing that just popped up before you even see it" is a common ish mistake worth implementing workarounds for.
I have severe and sporadic clonus in my mousin' arm. I do exactly the same thing when I need to keep my hand on the mouse.
Another thing that I have done off-and-on to accomodate certain software is to have my keyboard or mouse 'toggled' off and on with an autohotkey (or equivalent) script. If I need to rest or wait for something with my hands on the hardware then I toggle the thing off with an easy-to-reach hotkey of some sort until i'm ready to actually type/mouse.
Great, now I need to wait 8 seconds while my browser re-renders some 40-meg page which could've been plain text.
On the other hand, if I ever think about using MailChimp to send spam, I hope someone would just come cut my hands off, then I won't need to care about hitting the wrong keys.
* The copy command for many terminal apps on linux
You can also do it in Settings: type "cookies" in the search box and it will list both an option to clear all data and an option for site-specific data.
That's still Tourette's. Tourette's is described as an involuntary movement /or/ sound.
> It is characterized by multiple movement (motor) tics and at least one vocal (phonic) tic.
> Tourette's is at the more severe end of a spectrum of tic disorders.
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
And a non-verbal tic doesn't automatically mean it's not Tourette's.
EDIT: “vocal,” I should say, not “verbal”
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
> To be diagnosed with TS, a person must
> * have two or more motor tics (for example, blinking or shrugging the shoulders) and at least one vocal tic (for example, humming, clearing the throat, or yelling out a word or phrase), although they might not always happen at the same time.
> Tics are sudden twitches, movements, or sounds that people do repeatedly. People who have tics cannot stop their body from doing these things. For example, a person with a motor tic might keep blinking over and over, or a person with a vocal tic might make a grunting sound unwillingly.
> The tic disorders differ from each other in terms of the type of tic present (motor or vocal, or a combination of both)
The link you posted establishes that Tourette’s is a tic disorder. The person says they have a tic disorder that isn’t Tourette’s. I’m perfectly happy to take them at their word about that.
You /assume/ I have no knowledge.
Very simple for a system to detect the request for the map file.
If that's their vector turn off the autoloader and try from a clean IP.
Edit: You can redefine console.log to be a noop, but that's also detectable.
[1]: https://news.ycombinator.com/item?id=35240559
foo.toString = () => console.warn("called")
console.log(foo)
...and how to disable them from auto-loading.
I mean, okay, I can see how they definitely have a use. But to try and auto-fetch js and css maps just because I want to have a look at the DOM?
Why not wait until I actually try looking at js/css? Or even until I ask to see the source map?
Prefetching never feels right to me. Even though I know GET requests are supposed to be side-effect free and idempotent (and if they're not, that's a choice by the server devs and they'd better have covered all the edge cases where clients correctly act as if they are...), it has the architectural equivalent of a "code smell" to my nose.
Could yours be a Windows Group Policy from $WORK?
[0] https://x-c3ll.github.io/posts/javascript-antidebugging/
The source map requests was a more successful option. Also played around with "snap" resize but it was too agressive.
As for whatever the reason MailChimp would block your up is pretty ridiculous.
The part I do not understand is even websites that verify you via 2FA do this, so I assume their goal is to track you no matter what.
An email client like Thunderbird or Mail will save a copy of the email on your local hard drive, which will include the HTML. This isn't something I do regularly, but would be first first response if I needed to see the HTML of an email. Maybe Mailchimp has protections against this route too?
Even if you are a single organization user and leaving for good, you might do so gradually or perform test sends first. Speaking from experience again.
We had to contact Mailchimp on March 7th regarding their flawed implementation of CKEditor.
To demonstrate the issue, we sent them a screencast[1] (in the video we opened dev tools).
We requested and were provided with a refund. Per my other comment on this thread. The content of the request was created using GPT (although the prompt history is not available, it can be reverse engineered).
The email sent and reply to the email are available[2].
I'm adding this comment to highlight the very reasonable fair use of opening up dev tools to try to workout what is going on.
[1] https://files.littlebird.com.au/Screen-Recording-2023-03-08-...
[2] https://files.littlebird.com.au/Screen-Shot-2023-03-21-at-8....
In the writeup, the researcher illustrates by copying the service URL from the browser's dev tools. And so the obvious corporate corrective action is...
https://stackoverflow.com/questions/40153206/detect-if-conso...
But if they really detect a resize, anyone who actually does resize their page will be blocked as well.
Doing that seems a bit insane to me.
There's another cute approach based on the fact console.log(foo) calls foo.toString if and only if the devtools is open.
It seems that this would create far too many false positives.
Mailchimp is pretty hostile to developers. I don't recommend using them after that experience.
Tons of downtime, worsening delivery problems, no active development -- or support even -- for years, worse pricing, ...
seems like they want to eject their more sophisticated dev customers. guess i can't blame them, but why bother, just shut the damn thing down instead of wasting everyone's time.
>Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Mailchimp account, that's not good for either of us.
So mailchimp is SOC2, ISO, PCI, etc. and still gets worried about themselves if a user account is hacked.
Compliance with those standards doesn't mean they aren't potentially impacted by that sort of thing, and doing what they can to detect and mitigate unauthorized user account usages is part of at least a few of them.
"We retain a law firm in the UK to consult on EU privacy issues."
wouldn't it be better to retain a law firm that's actually in the EU? hiring a UK law firm for EU matters is no different that hiring a US law firm, or AUS, or whatever non-EU country
or, maybe i'm confusing them with ad agency types that i've worked with in the past and i'm just projecting one ego industry to another?
I opened the web inspector to show the library erroring when Mailchimp tried out a to load it, and also provided a screencast.
I wasn't blocked, but I did receive a refund.
So this must be a relatively new thing!
If I were the OP, I would complain and request a refund.
Further information: This interaction took place on March 7th (Sydney time).
I can haz prompt pls schappim?
If that's actually what's happened here, that's a real dick move.
Disclosure: I formerly worked at SendGrid
Yes.
> Is it okay to collect this kind of info and use it to block access?
No. It's not okay.
> Are there no regulations against this?
Probably not. In this case the remedy is to just use another service, or DIY. And I also think that's a pretty reasonable remedy, which will send a message to others considering such actions.
FWIW I would like to see regulations around intrusive spying on client machines via the browser or any other path. Ideally we'd get new, specific legislation around it. Something might also be done at the executive level at the FCC. Legislation is unlikely because of America's current flirtation with 3rd world style politics.
In terms of advocacy, I would assume that the EFF is of a similar view. Other human rights groups would be supportive of such measures, since in addition to protecting consumers, they protect journalists and their sources as well. The people against will be state security services and all businesses powered by a targeted ad engine.
I wrote a sort of "DIY MailChimp" for a marketer back in the ancient days of the early 2000s. I did the tracking and email content bits.
I did not handle the email servers themselves. Lot of work staying off of blacklists. It was something close to a fulltime job back then, and from what folks have told me it might be more like multiple fulltime jobs these days. Lots of anti-spam regulations to adhere to, and one or two false steps and you're going to wind up in an absolute hell where other email providers (Yahoo, Gmail, whoever) are not going to talk to your servers.
Also need to figure out email templates that render consistently across webmail providers and browsers and mail clients. That is also a loooot.
Making a consumer-friendly UI like Mailchimp is another massive task, but I guess you can skip that for your "DIY" solution.
Again, I'm not defending Mailchimp. I hope I never have to dip my toes into this area again. It is hell.
But...several full-time jobs? How much mail do you need to send before postfix on a $5 VPS falls over? In terms of composing html mail that looks good, that would take some time to learn. A day to get something passable, especially with LLM help? As for tracking, I am against image/pixel tracking in emails, I think it undermines trust, so I wouldn't implement it (or use it).
I think it depends on how important delivery is to your business. If your business team expects near 100% delivery and they want all the tracking features that give them insight into their promotional campaigns, then running email promotions on your own is quite a steep hill to climb.
I run my own MTA on my own domain and only use it for verification purposes and I still have to fight with the free email providers every few weeks. It's definitely not a full-time job but I also have the joy of just not caring if a user doesn't get an email from my system.
A agree with you somewhat that people reach for mass mail services too quickly sometimes but I also understand the perspective of engineers who have things like deadlines and other work to do where if I have the choice of working on truly new things to help grow the business I work for or handling email logistics, I know where I will point the my company.
That's why "use another service" was first on the list of alternatives.
As I said though compliance with spam regulations will be a constant battle. If you don't care if e.g. Google blacklists you from gmail.com, cool. That makes things a lot easier.
Right. I said that I'm assuming you can skip the consumer-friendly UI bits.However, I'm assuming you do at least want the analytic and tracking bits in this theoretical situation. Otherwise, why use something like Mailchimp in the first place? There are other ways to "just send mail." You choose Mailchimp for the extra bits.
Aren't they using a JavaScript based detection mechanism like listening for browser events on the client side or latching on to debugger to pull this information? Sounds to me like they are going out of their way to pull private information from my system that I or my system or my browser had no intention of sharing with them.
I get it that people like to complain about stuff on HN (I recently had a thread too) but there needs to be evidence for people to go off of.
"Request Blocked
We blocked your request because the IP address you’re using looks suspicious. This issue will usually resolve itself after a short period of time, and you can try your request again. You can also try using a different IP address to see if that resolves the issue.
If you need additional help, you can try one of these support options.
Reference Number: #####"
Some websites will try to throw you into a loop of debugger statements if they detect devtools being opened, which is harder to work around, but it doesn't seem to be the case here.
There is a similar button on chrome, but I am not sure if that also applies to the debugger statement.
Give it a try: https://sindresorhus.com/devtools-detect/
For some reason it failed to flag it for one of my attempts, but it consistently flagged it for all the others.
1. Correctly designed dev tools shouldn’t be detectable from the app itself, especially not if the tools are passively used for observing. This can be abused by malicious actors who can make it harder to detect and warn others. It can also cause heisenbugs.
2. One if those malicious actors is apparently Mailchimp. I don’t use it so I’m not affected. But from a meta-perspective it’s concerning when direct user-hostile actions are normalized by what most people consider “legit companies”. The same could be said about fingerprinting and many other tricks.
3. Meta-meta point: if you’re running a business that does this, the open web is not for you. You don’t belong, and you should try building your own proprietary stack instead. I don’t mind wolves, but please stop dressing in sheep clothing. There’s a paradox of tolerance at play here.
On firefox the easy way to get around this is by disabling breakpoints, the harder way is a userscript.
Sooner or later I'll end up on their blacklist. Ugh.
Is there a dev tools open event or does it detect f keys and right click events?
I had wanted to prevent web pages from detecting the window height, which has many benefits, including this but also prevents using the window height to override font sizes, preventing auto-loading on scrolling, and auto-scrolling ads into view, in addition to the debugger.
Additionally, detecting the outer window size should not be possible at all; it is not useful. Only the document view area is useful to detect anyways.
The only other ways I'm aware of are:
- Detecting the keyboard shortcut, ⌘⌥i or equivalent, which you can avoid by using the browser menu, and
- More riskily, evaluating a `debugger` statement and detecting whether evaluation paused. I'm not sure you could do anything about this one, but it would certainly be obvious to you whether it was happening.
Toggle the thing in the dotted rectangle: https://firefox-source-docs.mozilla.org/devtools-user/debugg...
EDIT:
BBC news puts a rather fancy one in the console
Facebook puts a warning about self xss in the console.
Welcome to the 90s.
Not that I would ever use MailChimp.
they have made it IMPOSSIBLE to take them seriously. #justSayin
1. setTimeout to call an endpoint that will block your ip. It's set to run in 2 seconds from now. 2. Insert: debugger; 3. Clear the timeout.
Now you run this function as an interval. If the devtools is closed, debugger will be ignored and the call to this endpoint will never happen. But if it's open, the debugger will stop and the timeout will fire. Not sure if you need to patch SetTimeout to continue running while you stop but I hope you get the general idea
Hackers tell non-techies to paste things into the console, which can then share cookies or access tokens with the attacker.
Obviously the browser is "owned" by the client, so a sufficiently motivated techie could bypass this any number of ways. But it prevents some number of non-techies from security issues.
But here, it seems they are detecting if the window is resized! That's just crazy.