Many vulnerable people are scammed because hackers and scammers use the devtools to edit html using the devtools on peoples bank account web pages.
Would it be possible for client browsers to accept some type of metadata to allow sites like banking apps to disable editing of html in the dev tools?
Hi!
Can you share more details about how scammers usually trick people into using devtools?
One of the things we want to change in the coming months is that for users who didn’t use DevTools before, we’d like to start showing them a small onboarding popup when they open it for the first time.
(for now we’re mostly thinking about doing it for F12 because people often press it by mistake, but we could extend that to care for scamming scenarios).
Thanks!
They pretend to be support technicians and remote into the victims computer.
They pretend to approve some type of refund to the victims bank account.
They edit the html in the victims browser and change the most recent transaction to look like a refund from the scammer.
They can see the victims balance. So if the victim has 25,000 dollars they will edit the transaction to some amount like 20,000.
Then they trick the victim into thinking they just accidentally were overpaid by the scammer by thousands of dollars.
The scammer edits the victims balance by adding the 20,000 and now they demand that money back.
This is a very rampant scam and older people are ripped off everyday. Banking websites don’t really have a way to prevent this unless browsers agree to allow a website to somehow disable devtools or specifically html editing.
Three things:
(1) Here’s a YouTube video about the problem
The scammer takes remote control and modifies the page while hiding that from the user, so the user isn’t personally in the DevTools.
(2) Some sites freeze when you open the DevTools
This is done with something that pauses execution in the debugger, but I haven’t looked into the specifics.
(3) At least one site seems to reject HTML changes
I have a userscript to modify search results pages and it has all kinds of inexplicable failures on Bing for reasons I haven’t tracked down. There may be some kind of halfway effective integrity checking in the page.