Mozilla

An interesting way to determine if you are logged into social web sites

Do you remember the trick how to find out that you went to certain web sites by analysing link colour (now patched in Firefox)? There is much your browser tells about you if you just create a few HTML elements.

Mike Cardwell has found an interesting way to detect if you are logged into social web sites. The easiest trick lies with GMail. Mike created a photo and uploaded it to Google. If you add this image to an HTML document and add event handlers for the success and failure case you can check if the visitor is logged in or not – as the photo gets delivered when you are and GMail delivers a 404 document when you are not:

<img style="display:none;"
     onload="logged_in_to_gmail()"
     onerror="not_logged_in_to_gmail()"
     src="https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI"
/>

This works in all browsers and can be used to for example send mailto: links to GMail directly. Notice that this just checks that you are logged in, it doesn’t mean you get access to content.

For Facebook and Twitter, this doesn’t quite work. Instead, Mike tries to read content with the APIs and relies on errors to be thrown on 404 responses:

<script type="text/javascript"
        src="https://twitter.com/account/use_phx?setting=false&amp;format=text"
        onload="not_logged_in_to_twitter()"
        onerror="logged_in_to_twitter()"
        async="async"
></script>
 
<script type="text/javascript"
        src="https://www.facebook.com/imike3"
        onload="logged_in_to_facebook()"
        onerror="not_logged_in_to_facebook()"
        async="async"
></script>

This fails to work in Internet Explorer and Opera, but still works nicely for the other browsers. In Firefox you can work around this using the Request Policy add-on.

It’d be interesting to see what other social web sites can be detected with some simple onload and onerror handlers. Know any others?

14 comments

Comments are now closed.

  1. Jan! wrote on February 4th, 2011 at 01:20:

    You could upload an image to a security-sensitive bug in Bugzilla to check if a user is logged in as a member of the security group, but this would change over time as the security bit gets unset.

  2. Paul Rouget wrote on February 4th, 2011 at 01:42:

    It sounds to me like an important privacy issue.

    It’s the consequence of the “Embeddable” Versus “Readable” confusion described by Robert O’Callahan: http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html

  3. Jan! wrote on February 4th, 2011 at 01:50:

    The only way to solve this would be to use a token in each dynamic URL and always return a 403 (or some such) when the token is missing, regardless of the login state, right?

  4. Chris Heilmann wrote on February 4th, 2011 at 02:08:

    Well, this is one of the reasons why you shouldn’t allow people to link third party photos but instead upload them to your server and resize them with GD or something similar to ensure they _are_ valid images.

  5. Thanasis Polychronakis wrote on February 4th, 2011 at 03:50:

    For Gmail it seems like this script can only tell if Mike is logged in or not but only for Mike…

    Mike uploaded the photo, he has rights to it, we check for Mike’s photo if it’s accessible…

    So how can this be used for everyone on Gmail??

  6. Giorgio Maone wrote on February 4th, 2011 at 10:02:

    You can also break this with a simple ABE rule:

    # This causes 3rd party embedded requests to be sent without cookies,
    # in-url session ids or other authorization tokens
    Site *
    Accept from SELF++
    Anonymize INCLUSION

  7. Stormy wrote on February 4th, 2011 at 10:32:

    I think this is a huge privacy issue.

    I don’t want web pages to know if I’m logged into other services unless I specifically give them permission.

    It feels like the web page is pretending to be me to the service.

    How would we either plug this hole or make it more explicit to the user?

  8. WulfTheSaxon wrote on February 4th, 2011 at 11:22:

    Disabling third-party cookies in Options → Privacy foils this completely.

  9. Giorgio Maone wrote on February 4th, 2011 at 11:25:

    @WulfTheSaxon:
    What about HTTP authentication?

  10. Paul Rouget wrote on February 4th, 2011 at 11:47:

    What about the \From-origin: …\ header?

    http://annevankesteren.nl/2011/02/from-origin

  11. Pierre wrote on February 5th, 2011 at 06:01:

    @Thanasis
    No. I can see the image when logged into gmail, and I’m not Mike.
    Just tried to open an incognito window, I cannot see it anymore.


    Pierre

  12. nemo wrote on February 5th, 2011 at 16:03:

    Giorgio Maone, do any of these sites *use* HTTP auth?

  13. Joss Crowcroft wrote on February 6th, 2011 at 08:11:

    This is a great discussion but feels a little bit ‘after the horse has bolted’ – what matters to me isn’t so much that websites will become aware of what services its ‘anonymous’ users are logged in to, but that so many hundreds of millions of users *stay* logged in to social networks ALL the time (myself included!…)

  14. dazbo100 wrote on March 15th, 2011 at 13:02:

    i have the same trouble with the rich content on my website http://www.facebookfanssite.com which is full of problems at the moment like most sites out there, but i’m human and i’m not flawless yet lol my website like others has a lot of work to be done to it like mozilla i guess.
    sorry for rambling…..

Comments are closed for this article.