Semi-related: On the old F1 website, they'd post the lap and sector times of drivers during an F1 session (practice, qualifying, race). First it was a Java app which had all the data, and then they got fancy and wrote it in JavaScript, and enshittified it: if you don't subscribe to their premium... website offering?.. you just get colored sectors whenever the driver's finished that sector (yellow as they've passed it, green if it's the fastest time they've driven through this sector, purple if it's the fastest of anyone, in the current session). I was wondering if they still had the sector times and just hid it on the frontend, and it was the case. There was an if-block that was called during initialization that checked if user was premium. Adding a breakpoint and adding a condition to set premium = true got me the sector times!
And then they changed their app to use Unity and WASM, and it's all Assembly-esque in the developer tool.
It’s always good to take a look, many things are decided on the client side, and developer tools are part of the browsers anyway.
The other day I wanted to make reservations for a service to send my luggage from the airport to my house in Japan, and the form was giving me errors.
Searching for the error string around I realized there was a timeout set on the client side, so I increased it and could slowly but smoothly fill in all the information that required a server check.
I guess they never bothered to debug their system when accessing it from the other side of the world. All it needed was a few extra milliseconds for the requests to arrive in time.
A major ISP's "outage check" feature sends all the data back client-side for the actual outage ticket, including circuit IDs, dispatch status, and if the outage is valid for customer credit. I now just hit that API as needed to check when shit goes sideways.
Meanwhile, if you put your ZIP in you just get a little friendly "We're working on it! :)".
One of the dating apps with a web interface had a separate API to increment message counts sent to users. Non-premium users could only like profiles or send a limited number of texts. I simply blocked that API and was able to use the app like a premium user
Yep, this is why I'm not a fan of WASM. It's going to make debugging/reversing webapps much, much harder while that has always been one of the charms of the web.
A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools.
I've done some research into this (haven't published it) but also can't get Facebook's bug bounty report tool to work (whenever I create a facebook account it gets autobanned) so I haven't been able to report them either. I wonder if stuff like this would be eligible, I don't see why it wouldn't.
> A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools.
This is true. IIRC, there is also a "bug", I think it's unfixable due to WhatsApp's
nature at the time, where you can send a message with a tampered quoted reply. It's
also done in the DevTools by modifying the quoted message ID to something that
doesn't exist.
> I wonder if stuff like this would be eligible, I don't see why it wouldn't.
I just reported it, let's see if it's eligible
It is a good reminder for front-end devs that security-through-obscurity is not sufficient. It never has.
Reminds me of a security company that claimed they could force a watermark onto any content in their web-front-end.
Turns out it was a canvas overlay you could just simple delete from the HTML. LOL.
I used a tool in school that outputted svgs with watermarks. So I proved that if I ever wanted to, though I never needed to, I could just delete that element. Trivial.
> What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?
Amusingly, these two questions apply just as well to almost all physical locks in the material world. I suppose that makes WhatsApp's "lock" analogy apt.
However, we should consider that this is about online privacy features, which is a fairly hot topic nowadays. And it kind of feels that we got drape curtains* instead of a lock - and I think it's not exactly what people would reasonably expect for a feature like this? Or do they clarify that it's a weak protection somewhere?
___
*) I mean, it can be unlocked by literally opening JS console and typing one command. That's a gate latch at best.
> In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.
At least they should encrypt the messages instead of making it seems like it's encrypted.
AFAIK, in the mobile WhatsApp, locked chats will get wiped without screen lock or secret code. They make it seem like it's practically impossible to recover the messages without doing real crypto stuff on the locked chats' messages.
I totally get that hiding things from partners is a not uncommon thing.
Speaking as someone who has lived with my wife for over 10 years and where we can each access each other’s phones (for reasons of administrative convenience), neither of us have ever “snooped” on each other.
So when I hear of people taking advantage of features to hide chats from their partner it makes me wonder about the psychological health of either the relationship, one, or both of the partners.
There are absolutely psychologically unhealthy controlling partners who “snoop” on their partners unreasonably dictating what is and isn’t allowed. And at the same time there are also unfaithful partners who are having the kind of conversations with other people that they really shouldn’t when they’re in a committed relationship.
Only other reason I can think to hide chats are risqué group chats with friends posting arguably inappropriate content, but again, if your partner is snooping on this and then getting controlling, that’s not really healthy.
Finally, I will admit I sometimes use incognito mode on my web browser at times (but never for conversations), so perhaps I’m a bit of a hypocrite.
> So when I hear of people taking advantage of features to hide chats from their partner it makes me wonder about the psychological health of either the relationship, one, or both of the partners.
I am the exact opposite and would wonder about the psychological health of either the relationship or both of the partners if they have so intertwined themselves that they no longer feel the need to keep any aspect of their identities private from each other.
> Only other reason I can think to hide chats
The number of reasons are as numerous as there are relationships. I literally just finished sending my mother a message about a joint gift to my father in a group chat that I would not want my father to see, since it would spoil his Christmas present. I have several chat groups that contain information that I am legally not allowed to let my partner, or anyone else for that matter, see. And thats not even getting into all the different levels of confidentially that friends talking amongst friends reasonably might expect when sharing stories of their personal lives with each other.
Aside from technical troubleshooting reasons, never for “social” interactions. For all other times, all
I will say is that your guess is probably correct.
It's this, not limited to opera. And various recommended settings did not help. It was previously possible to just delete the dialog box from DOM and continue, no more.
And then they changed their app to use Unity and WASM, and it's all Assembly-esque in the developer tool.