An interesting way to determine if you are logged into social web sites

Do you remember the trick how to find out that you went to certain web sites by analysing link colour (now patched in Firefox)? There is much your browser tells about you if you just create a few HTML elements.

Mike Cardwell has found an interesting way to detect if you are logged into social web sites. The easiest trick lies with GMail. Mike created a photo and uploaded it to Google. If you add this image to an HTML document and add event handlers for the success and failure case you can check if the visitor is logged in or not – as the photo gets delivered when you are and GMail delivers a 404 document when you are not:

This works in all browsers and can be used to for example send mailto: links to GMail directly. Notice that this just checks that you are logged in, it doesn’t mean you get access to content.

For Facebook and Twitter, this doesn’t quite work. Instead, Mike tries to read content with the APIs and relies on errors to be thrown on 404 responses:



This fails to work in Internet Explorer and Opera, but still works nicely for the other browsers. In Firefox you can work around this using the Request Policy add-on.

It’d be interesting to see what other social web sites can be detected with some simple onload and onerror handlers. Know any others?

About Chris Heilmann

Evangelist for HTML5 and open web. Let's fix this!

More articles by Chris Heilmann…


14 comments

  1. Jan!

    You could upload an image to a security-sensitive bug in Bugzilla to check if a user is logged in as a member of the security group, but this would change over time as the security bit gets unset.

    February 4th, 2011 at 01:20

  2. Paul Rouget

    It sounds to me like an important privacy issue.

    It’s the consequence of the “Embeddable” Versus “Readable” confusion described by Robert O’Callahan: http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html

    February 4th, 2011 at 01:42

  3. Jan!

    The only way to solve this would be to use a token in each dynamic URL and always return a 403 (or some such) when the token is missing, regardless of the login state, right?

    February 4th, 2011 at 01:50

  4. Chris Heilmann

    Well, this is one of the reasons why you shouldn’t allow people to link third party photos but instead upload them to your server and resize them with GD or something similar to ensure they _are_ valid images.

    February 4th, 2011 at 02:08

  5. Thanasis Polychronakis

    For Gmail it seems like this script can only tell if Mike is logged in or not but only for Mike…

    Mike uploaded the photo, he has rights to it, we check for Mike’s photo if it’s accessible…

    So how can this be used for everyone on Gmail??

    February 4th, 2011 at 03:50

  6. Giorgio Maone

    You can also break this with a simple ABE rule:

    # This causes 3rd party embedded requests to be sent without cookies,
    # in-url session ids or other authorization tokens
    Site *
    Accept from SELF++
    Anonymize INCLUSION

    February 4th, 2011 at 10:02

  7. Stormy

    I think this is a huge privacy issue.

    I don’t want web pages to know if I’m logged into other services unless I specifically give them permission.

    It feels like the web page is pretending to be me to the service.

    How would we either plug this hole or make it more explicit to the user?

    February 4th, 2011 at 10:32

  8. WulfTheSaxon

    Disabling third-party cookies in Options → Privacy foils this completely.

    February 4th, 2011 at 11:22

  9. Giorgio Maone

    @WulfTheSaxon:
    What about HTTP authentication?

    February 4th, 2011 at 11:25

  10. Paul Rouget

    What about the From-origin: … header?

    http://annevankesteren.nl/2011/02/from-origin

    February 4th, 2011 at 11:47

  11. Pierre

    @Thanasis
    No. I can see the image when logged into gmail, and I’m not Mike.
    Just tried to open an incognito window, I cannot see it anymore.


    Pierre

    February 5th, 2011 at 06:01

  12. nemo

    Giorgio Maone, do any of these sites *use* HTTP auth?

    February 5th, 2011 at 16:03

  13. Joss Crowcroft

    This is a great discussion but feels a little bit ‘after the horse has bolted’ – what matters to me isn’t so much that websites will become aware of what services its ‘anonymous’ users are logged in to, but that so many hundreds of millions of users *stay* logged in to social networks ALL the time (myself included!…)

    February 6th, 2011 at 08:11

  14. dazbo100

    i have the same trouble with the rich content on my website http://www.facebookfanssite.com which is full of problems at the moment like most sites out there, but i’m human and i’m not flawless yet lol my website like others has a lot of work to be done to it like mozilla i guess.
    sorry for rambling…..

    March 15th, 2011 at 13:02

Comments are closed for this article.