Hacker News new | past | comments | ask | show | jobs | submit login

Monkey patching setTimeout / setInterval would allow you to detect when people were running timers on the page. Use of timers could generally be considered "cheating."

It doesn't do anything to intercept people pushing the button.

    window.setTimeout = function setTimeout(fn, ms) {
        alert("No you don't, cheater!");
        assign_button_color_of_shame();
        original_setTimeout(fn, ms);
    }



Which is very, very easily worked around by including another version of the original setTimeout in your console code.

The only real way to detect this is through usage pattern analysis and detection on the web socket side, because if you can write something in JS that catches people, someone can make minor modifications to their code to make it work again.


Just to be clear - this wasn't my original idea and nobody should ever put any security code into a client. Even if you could make this work someone could recompile Chrome to work around it.

I've found a way to get access to the original setTimeout again by embedding an iframe into the page and extracting it from there.

Would be interested in hearing other methods of getting a handle to the original setTimeout again.

I guess you could simulate it by using some other mechanism, say firing off an async request to a server that returns after a certain time and running a callback.


Eh putting security into a client like FB did disabling the console -- it might help against people getting phished. Though I generally agree.


Ohh right, so your plan would be to essentially check for third-party javascript things running on the same page?

This would be a really easy "security" measure to circumvent, though - I could literally just delete your monkey patch, for a start!


It wasn't my idea so, no, that was never my plan :)

Though, you do raise a valid point, so let's see how it plays out.

    setTimeout = function(){...}
    delete setTimeout  // true - you've removed the patch

    window.setTimeout = function(){...}
    delete window.setTimeout  // true - you've removed the patch

    window.constructor.prototype.setTimeout = function(){...}
    delete window.constructor.prototype.setTimeout  // false - the patch is still there!
I don't know about the hierarchy of the prototype chain up at this level but it seems to work.

Maybe there's some other way of getting to the built-in setTimeout so you can create your own version to mask the one I added?

EDIT you can embed an iframe and rip the native setTimeout from there.


They could listen to the DOMSubtreeModified event in the 10s div.


Nice! There are probably clocks all over the place when you start looking around :)


reddit stops you from embedding it iirc


I tried that too - you can just use any old page that has CORs headers allowing it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: