> It also makes the spoofing completely undetectable.
It's my understanding that the usage of the debugger is detectable by scripts running on the page. I've actually come across content websites that will refuse to activate their features (play video) if the debugger is active.
Similarly on Android some video streaming apps will refuse to load and play their content catalog if USB debugging is enabled.
A javascript file, whose name changes with every refresh, is loaded. The script calls the `debugger` keyword, which only functions when you have DevTools open.
Meanwhile, a tickers is running. If a tick takes too long, it interprets that as the debugger having been called.
There are a bunch of sophisticated ways to obfuscate it, but it basically boils down to:
<script>
setInterval(function() {
try {
let before = new Date().getTime();
// This will pause the program execution if debugging is enabled.
// If debugging isn't enabled this statement is a no-op.
debugger;
let after = new Date().getTime();
// Detect if the program was paused or not.
if (after - before > 0.01) {
// > 10ms difference? The program was (most likely) paused by the debugger.
document.body.innerHTML = "<h1>Debugging started</h1>";
}
} catch(e) {}
}, 1000);
</script>
There are some other ways to detect it by implementing various prototype methods and continually logging the object to the console. The methods are only invoked if the dev console is opened.
I'm able to get it to trigger on about ~10-20% of page reloads with your extension activated. Never when it isn't. Maybe it's just a matter of tuning the interval and detection threshold?
I don’t have a link offhand but I’ve seen this code while debugging some pirate sports streams. The next upcoming one to check would be an NBA game from “nba bite” (Google it, it’s the offshoot of the banned sports streaming subreddits.)
I think you’re probably right that it wouldn’t detect presence of your extension, since that code runs in its own context and I assume doesn’t actually call the debugger. If your extension injects a script into the page, then that could be detected with this technique or similar.
It's my understanding that the usage of the debugger is detectable by scripts running on the page. I've actually come across content websites that will refuse to activate their features (play video) if the debugger is active.
Similarly on Android some video streaming apps will refuse to load and play their content catalog if USB debugging is enabled.