What happens when you open the developer console on facebook.com?

Here’s how Facebook prevents you to be a Self XSS Victim.

Image for post
Photo by @konkarampelas on Unsplash.

Many security experts still argue that humans are the weakest link in cybersecurity. The Self-XSS scam confirms this position.

Self-XSS, self cross-site scripting, is a social engineering attack used by hackers to access and control victims’ web accounts. This kind of scam can be also used to compromise your own Facebook account.

How does it work?

The attacker’s goal is to trick you into running their malicious code in your own web browser.

Usually, the scammer posts a message that says that by copying and running a certain code in your JavaScript console, you will be able to hack into anyone’s account.

Image for post

What actually happens is that by following the instructions, you involuntarily give the scammer access to your account!


Once the scammer is in control of your account, they can use it to spread the same scam or launch other cyberscams.

Facebook has taken steps to protect its users from this scam adding Self-XSS to its list of Security Threats.

In addition, if you get to the JavaScript console while you are on Facebook, a warning will show up saying not to paste any unknown code into the browser.

Image for post

What can I do about it?

If you see this kind of spam on Facebook, you should report it by clicking at the upper-right corner of the post and by selecting ‘Find support or report post’.

In case you become a victim of one of these attacks, Facebook can help you secure your account again. You can visit their help page for Self XSS attacks: https://www.facebook.com/help/543344735779134/.

Business graduate and self-taught JavaScript developer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store