Do you remember the trick how to find out that you went to certain web sites by analysing link colour (now patched in Firefox)? There is much your browser tells about you if you just create a few HTML elements.
Mike Cardwell has found an interesting way to detect if you are logged into social web sites. The easiest trick lies with GMail. Mike created a photo and uploaded it to Google. If you add this image to an HTML document and add event handlers for the success and failure case you can check if the visitor is logged in or not – as the photo gets delivered when you are and GMail delivers a 404 document when you are not:
<img style="display:none;" onload="logged_in_to_gmail()" onerror="not_logged_in_to_gmail()" src="https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI" />
This works in all browsers and can be used to for example send
mailto: links to GMail directly. Notice that this just checks that you are logged in, it doesn’t mean you get access to content.
For Facebook and Twitter, this doesn’t quite work. Instead, Mike tries to read content with the APIs and relies on errors to be thrown on 404 responses:
This fails to work in Internet Explorer and Opera, but still works nicely for the other browsers. In Firefox you can work around this using the Request Policy add-on.
It’d be interesting to see what other social web sites can be detected with some simple onload and onerror handlers. Know any others?
About Chris Heilmann
Principal Evangelist at Mozilla for HTML5 and open web. Let's fix this!