Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Abusing HTTP Status Codes To Expose Private Info

CmdrTaco posted more than 3 years ago | from the i-see-what-you-did-there dept.

Privacy 133

An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.

Sorry! There are no comments related to the filter you selected.

And let's not forget... (-1, Offtopic)

Magada (741361) | more than 3 years ago | (#35008804)

The new /. still sucks big time.
Yeah. Mod me offtopic, why dontcha.

Re:And let's not forget... (2, Informative)

pbhj (607776) | more than 3 years ago | (#35008842)

Half the text is cropped by an overhanging left-menu if I use my normal text size. Gah!

Re:And let's not forget... (2)

Yvan256 (722131) | more than 3 years ago | (#35009280)

I don't see how his comment is flamebait. Increase your font size, you can easily replicate the bug he mentioned.

Re:And let's not forget... (1)

BrokenHalo (565198) | more than 3 years ago | (#35010010)

Alternatively, if you don't like the new interface, you could go into your /. preferences and change the interface to "Classic". After all, that dynamic content does nothing to improve the content.

Re:And let's not forget... (2)

The_Fire_Horse (552422) | more than 3 years ago | (#35008860)

I concur. And well done on getting the first post. It now takes 3-5 seconds to 'preview' a one line text post, so my days of first posting are clearly numbered! Maybe that was the intent?

Re:And let's not forget... (2)

Magada (741361) | more than 3 years ago | (#35008892)

Ha. Possible. My alternative theory is that the new site is using our computers to make BitCoin. I have one core pegged at 100% utilization by Firefox when browsing the site.

Re:And let's not forget... (1)

Anonymous Coward | more than 3 years ago | (#35008936)

I only *have* one core, you insensitive clod!

(and yes, it's very nicely pegged at 100%.)

Re:And let's not forget... (3, Insightful)

HarrySquatter (1698416) | more than 3 years ago | (#35008984)

It now takes 3-5 seconds to 'preview' a one line text post,

Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.

Re:And let's not forget... (-1)

Anonymous Coward | more than 3 years ago | (#35008868)

So don't come here!

Isn't that what the libertarian-Republican line is here?

Re:And let's not forget... (3, Insightful)

Culture20 (968837) | more than 3 years ago | (#35008914)

The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.

More likely redundant since everyone knows it already.

Re:And let's not forget... (2, Insightful)

Magada (741361) | more than 3 years ago | (#35009074)

Everyone except those who should fix it, apparently.

Re:And let's not forget... (3, Informative)

roka (211127) | more than 3 years ago | (#35009094)

You could write your own CSS or get an existing one [userstyles.org]

HTTP 502 - Service temporarily overloaded (3, Informative)

Anonymous Coward | more than 3 years ago | (#35008834)

Yes, that link is really neat!
HTTP 502 - Service temporarily overloaded

Re:HTTP 502 - Service temporarily overloaded (1)

prxp (1023979) | more than 3 years ago | (#35008890)

Slashdotted already? Damn!

Re:HTTP 502 - Service temporarily overloaded (1)

PseudonymousBraveguy (1857734) | more than 3 years ago | (#35008954)

Link to Google cache [googleusercontent.com]

Re:HTTP 502 - Service temporarily overloaded (0)

Steve Max (1235710) | more than 3 years ago | (#35009044)

s/Corel/Coral/, obviously.

Re:HTTP 502 - Service temporarily overloaded (3, Informative)

Steve Max (1235710) | more than 3 years ago | (#35009012)

I believe you're supposed to abuse the HTTP error code somehow to get the content.

Corel Cache [nyud.net] also works.

Incognito anyways (1)

s1lverl0rd (1382241) | more than 3 years ago | (#35008900)

This is quite scary. Though, I always use the Incognito mode when browsing sites I don't trust as much as others (ahem).

Re:Incognito anyways (4, Insightful)

PseudonymousBraveguy (1857734) | more than 3 years ago | (#35009014)

I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.

Re:Incognito anyways (0)

s1lverl0rd (1382241) | more than 3 years ago | (#35009060)

Incognito mode does work, though. I think this techinque does actually depend on cookies. It checks whether you are logged in to Facebook, and Facebook checks wheter you are logged in or not by using cookies.

Re:Incognito anyways (1)

MankyD (567984) | more than 3 years ago | (#35009126)

Incognito mode doesn't prevent cookies within the browsing session. It merely prevents them from persisting after private-browsing mode has ended. Hence, you can still log into sites that use cookies.

Re:Incognito anyways (2)

Sancho (17056) | more than 3 years ago | (#35009444)

You can log in, however it gives you a blank cookie jar to start. You would have to log in to Gmail from within Incognito mode in order for this site to detect you.

Re:Incognito anyways (2)

DavidTC (10147) | more than 3 years ago | (#35009462)

It disables existing cookies.

If you go and log into Facebook within the Incognito session, yes, this trick will work. But it can't tell if you were logged in before that.

Re:Incognito anyways (1)

PseudonymousBraveguy (1857734) | more than 3 years ago | (#35009192)

Well, basically by disabling cookies Incognito mode loggs off your Facebook session, so the test (correctly) determines you are not logged in. Thus, you do not break the test itself.

If that's the same thing is debateable, I admit. But as the technique's potential might go beyond checking Cookie-based logons, I think the difference is worth pointing out.

Re:Incognito anyways (1)

maxume (22995) | more than 3 years ago | (#35009062)

It depends on there being some authentication between your browser and the website being checked; for gmail, that's a cookie...

Re:Incognito anyways (1)

Nursie (632944) | more than 3 years ago | (#35009068)

Right, so blocking content from facebook.com (and fbcdn.com) except when you're on a facebook.com page, ought to work?

Adblock Pro gives me the ability to disallow content when it's "third party" and I already make use of this feature. If the page wasn't /.ed I'd give it a try...

Re:Incognito anyways (1)

Apatharch (796324) | more than 3 years ago | (#35009150)

The technique does depend on cookies (if indirectly), since social networking sites (and indeed any site using sessions) depend on cookies to maintain their sessions. Incognito mode doesn't block cookies; it just makes sure they're deleted once you close the browser, so it won't provide any defence against the "attack".

Also, it would be straightforward to adapt the technique to work in IE by using AJAX requests instead of script tags to query the URLs to be checked.

Re:Incognito anyways (1)

RalphSleigh (899929) | more than 3 years ago | (#35009976)

You can't do cross domain xhttprequests, so you can't do it via AJAX.

The idea behind it... (5, Informative)

ashidosan (1790808) | more than 3 years ago | (#35008926)

The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.

Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.

Re:The idea behind it... (5, Interesting)

toetagger (642315) | more than 3 years ago | (#35009010)

I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.

Re:The idea behind it... (4, Informative)

acooks (663747) | more than 3 years ago | (#35009216)

Looks like you've just rediscovered the idea of cross-site scripting.

Wikipedia says:
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. "

Re:The idea behind it... (3, Informative)

natehoy (1608657) | more than 3 years ago | (#35009266)

Precisely why a lot of discussion boards do not allow images in their signatures, especially third-party images. Also why so many companies used to offer "free counters" and "enhanced email with images" (a' la IncrediMail) and whatnot as long as they were served from THEIR site. You can collect a lot of information about users of a site without the complications of having to compensate the site owners or having them cooperate with you.

Re:The idea behind it... (1)

binkzz (779594) | more than 3 years ago | (#35009752)

I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.

Except that this is a different method altogether. It's always been possible to push different contents based on different IPs, but this is about being able to tell whether or not you're logged into certain websites or not.

Re:The idea behind it... (1)

petermgreen (876956) | more than 3 years ago | (#35009826)

What if I would do this in my slashdot signature

I don't think /. allows javascript in signatures.

Re:The idea behind it... (0)

Anonymous Coward | more than 3 years ago | (#35010328)

You can already do that just by checking the IP address, user agent, etc.

Haven't you seen those signature images that show things like "Your IP address is x.x.x.x and you're using Windows you stupid twat"?

Re:The idea behind it... (0)

Anonymous Coward | more than 3 years ago | (#35009144)

1. A site owner could have a script report the status codes back to the server.
2. An employer could check to see which sites people are logged on to.
3. Sounds like a huge potential for xss.

Re:The idea behind it... (1)

AmiMoJo (196126) | more than 3 years ago | (#35009660)

If you know someone has an account on FB/Google/Hotmail/PayPal and are currently logged into it you could try using a phishing attack. PayPal in particular keep demanding your password if you are inactive for five minutes. History shows that users see password prompts simply as barriers to what they want to do and so will mindlessly type their secret into any vaguely official looking box.

Law enforcement could use it to detect people with accounts on illegal sites too, e.g. Twitter or Facebook in countries where they are banned.

Re:The idea behind it... (1)

ashidosan (1790808) | more than 3 years ago | (#35009782)

How would this technique add any useful information to law enforcement's monitoring in countries with banned sites? Assuming I owned the HTTP stream (literally), I could discover pretty much whatever I want without resorting to this.

Look what happened in Tunisia. Since they literally owned the HTTP stream, they just injected code to harvest personal information. XSS protection is useless if the basic stream is compromised.

Re:The idea behind it... (1)

AmiMoJo (196126) | more than 3 years ago | (#35010748)

Say the person logs in over a VPN or Tor. The cookie they get to be logged in is the same as an unencrypted connection so it could be used to determine if they were circumventing blocks or trying to hide their actions online.

Re:The idea behind it... (1)

rjstanford (69735) | more than 3 years ago | (#35009866)

Compute cycles are cheap when you're running a script on someone else's computer. Why not just try it anyway? If they're not logged in, it won't work. If they are, it will. Checking to see whether or not you think it will work is only useful if you care about the user you're about to rob.

Re:The idea behind it... (0)

Anonymous Coward | more than 3 years ago | (#35010062)

> Compute cycles are cheap

Are they more or less expensive than computation cycles?

I suppose by avoiding the branching to select a noun instead of a verb they can avoid a few instructions.

Re:The idea behind it... (2)

Canazza (1428553) | more than 3 years ago | (#35009906)

There was a similar technique that determines if a site has been visited, using user history and CSS. creating a bunch of links and using the :visited CSS tag then use javascript to loop through the links to determine their visited status (ie, using width, or padding, or colour set by the CSS)

The images thing seems to be along the same lines, as far as privacy issues go anyway.

Re:The idea behind it... (1)

whoever57 (658626) | more than 3 years ago | (#35010804)

And it doesn't work in all cases. It could not detect that I am logged into gmail.

Incog Newb (1)

leather hides (1983870) | more than 3 years ago | (#35008950)

I've never really used incognito in chrome, maybe I should start...

Re:Incog Newb (1)

Lennie (16154) | more than 3 years ago | (#35010008)

Why ? It does not solve this problem.

Not quite (0)

Suki I (1546431) | more than 3 years ago | (#35008972)

It might not work as well as they think. I got this as I read down a bit:

First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Yes, you are logged in).

Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.

Re:Not quite (3, Interesting)

ArcherB (796902) | more than 3 years ago | (#35009052)

It might not work as well as they think. I got this as I read down a bit:

First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Yes, you are logged in).

Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.

If you are using your gmail account to download bookmarks, custom home page or whatever Chrome may be logging into gmail for, it may throw off the result.

However, in saying that, I noticed that it reported me logged into Facebook, which I am not, nor have I since my last reboot. I'm running Firefox 3.6.13.

Re:Not quite (3, Insightful)

Pteraspidomorphi (1651293) | more than 3 years ago | (#35009480)

Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.

Re:Not quite (1)

dzfoo (772245) | more than 3 years ago | (#35010658)

And the point is not necessarily to know if you're logged in, but that you are a Facebook user (because your browser acknowledges that it is or has logged in).

Therefore, it succeeded.

      -dZ.

Re:Not quite (0)

Anonymous Coward | more than 3 years ago | (#35009644)

It said the same thing about twitter for me. I do not have a login, and even if I did, it is filtered here.

Re:Not quite (0)

Anonymous Coward | more than 3 years ago | (#35009084)

If you have the gmail checkerextension in chrome active you are actually always logged in to your google account even if you are just browsing to google.com (search) or some other page.

Re:Not quite (1)

Thelasko (1196535) | more than 3 years ago | (#35009700)

I received a similar message for Facebook further down the page. I have never, ever logged into Facebook on this machine.

Re:Not quite (2)

oodaloop (1229816) | more than 3 years ago | (#35009738)

It said Yes for me (after I allowed the site in NoScript in FireFox), even though I don't have gmail open. I did have iGoogle and Google Voice up, which use the same ID. I guess any page that uses the Google log in would show a Yes, after javascript is turned on. Yet another reason to use NoScript for me.

Re:Not quite (1)

Kakao (1626933) | more than 3 years ago | (#35010104)

And it told me I was not logged into Gmail while I was. Firefox 3.6.13.

The cached version (4, Informative)

antido (1825442) | more than 3 years ago | (#35008992)

Is here [googleusercontent.com] .

Slashdotted. (1)

janestarz (822635) | more than 3 years ago | (#35009036)

Slashdotted. I guess everyone was curious!

Re:Slashdotted. (1)

gibletparade (1033096) | more than 3 years ago | (#35009148)

No, they used "ERR_CONNECTION_RESET" to siphon your bank account.

How it works (5, Informative)

mazesc (1922428) | more than 3 years ago | (#35009086)

As the page is slashdotted, I just wanted to post how it is done here:

For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.

For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.

Re:How it works (0)

Anonymous Coward | more than 3 years ago | (#35009438)

The real issues seems to be that JavaScript is allowed to access information about a resource loaded from a different origin than the JavaScript code. Information such as HTTP response code or MIME type. Which is worsened by how simple onerror makes it for the coder to access that info (no need to employ AJAX, just write onerror="call_my_func()").

If this violates same origin policy for JavaScript, it's a security hole and should be plugged. But apparently Google told him that it's "expected behavior".

Re:How it works (2)

Trailer Trash (60756) | more than 3 years ago | (#35009550)

It's expected behavior. Many many sites uses javascript or images loaded from elsewhere. Google Analytics, the little badges that say that your site cert is good, on and on.

Re:How it works (1)

tlhIngan (30335) | more than 3 years ago | (#35010150)

It's expected behavior. Many many sites uses javascript or images loaded from elsewhere. Google Analytics, the little badges that say that your site cert is good, on and on.

So... does this mean things like NoScript automatically prevent the issue? I already put google-analytics on the blacklist so it's never displayed in the NoScript menu and the like.

A little bit of No Script goes a long way (1)

Anonymous Coward | more than 3 years ago | (#35009142)

The "Hack" seems to only work when scripts are enabled for the full base of a particular website. If I only enable static.ak.fbcn.net, I can still use facebook functionality but this "hack" can't tell that I'm logged in. The point of my story is if you're using Firefox with NoScript (and you have a vague idea what you're doing), you're still safe. I'm still wary of using Chrome.

Um...no? (1)

chill (34294) | more than 3 years ago | (#35009254)

It says I was logged into GMail (correct) and Facebook (incorrect).

Not only do I not have a Facebook account to be logged in to, the computer I'm using has never directly gone to facebook.com. Other sites may have inlined facebook stuff, but I still don't have an account there.

So what gives? No, no one else uses this computer. Yes, I am absolutely, 100% certain.

Re:Um...no? (1)

PeterKraus (1244558) | more than 3 years ago | (#35009332)

I'm logged in into Gmail (which I am), and not into Facebook (which is blocked by company fw). But I'm also apparently logged into twitter, which I don't have any account on, never ever have been to, and is also blocked by company fw.

I call bullshit.

Re:Um...no? (2)

webbiedave (1631473) | more than 3 years ago | (#35009446)

You didn't say which browser you are using. The article states that the facebook/twitter detects don't work in IE or Opera.

Re:Um...no? (1)

PeterKraus (1244558) | more than 3 years ago | (#35010024)

It is Firefox.

BTW. you could've guessed i'm not using IE or Opera by looking at my email address :P

Re:Um...no? (0)

Anonymous Coward | more than 3 years ago | (#35010352)

I was going to guess lynx but that's just me.

Re:Um...no? (0)

Anonymous Coward | more than 3 years ago | (#35010388)

It is Firefox.

BTW. you could've guessed i'm not using IE or Opera by looking at my email address :P

You just said you're posting from work. A lot of people don't get to choose their work browsers.

Re:Um...no? (0)

Anonymous Coward | more than 3 years ago | (#35010302)

> detects don't work in IE

Detections. Don't schools teach the difference between verbs and nouns any more?

Re:Um...no? (1)

JThaddeus (531998) | more than 3 years ago | (#35009384)

It said I was not logged on to either GMail or Facebook although I was.

Re:Um...no? (1)

panth13 (1211316) | more than 3 years ago | (#35009412)

The one that i was logged into (GMail), stated I wasn't. It only got the ones correct that I wasn't logged into, perhaps because it doesn't work? I was using FF. I also call BS. -B

Re:Um...no? (0)

Anonymous Coward | more than 3 years ago | (#35009568)

you can be logged into gmail without actually viewing the page as it stores a validation cookie that is used in their authentication process.

Re:Um...no? (0)

Anonymous Coward | more than 3 years ago | (#35011242)

Were you on the actual site, or the cached page?

Isn't this just CSRF ? (0, Insightful)

Anonymous Coward | more than 3 years ago | (#35009314)

Cross-Site Request Forgery ?

Re:Isn't this just CSRF ? (1)

dzfoo (772245) | more than 3 years ago | (#35010760)

Yes. Next!

Nope (1)

kevind23 (1296253) | more than 3 years ago | (#35009426)

This doesn't work at all. I'm logged into Gmail and Facebook, neither of which it detected.

Ho hum (1, Informative)

davidbrit2 (775091) | more than 3 years ago | (#35009440)

Another day, another guy thinking CSRF is something new.

No, I am not (1)

kreuzotter (13645) | more than 3 years ago | (#35009538)

I was logged into Slashdot and that bloody web page said I was logged into facebook. I would NEVER use facebook. Damn liar....mumble mumble

Re:No, I am not (1)

webmosher (322834) | more than 3 years ago | (#35009812)

I suspect this method has a "bug" or its not working as expected in Chrome:
1) I am logged into Google apps, but it says I am not.
2) I do not have a twitter account, but it says I am logged in (and its blocked by Websense).

Something odd is afoot.

Re:No, I am not (1)

Zenaku (821866) | more than 3 years ago | (#35010296)

He states that the Gmail version doesn't detect if you are logged into Google apps.

I suspect that his technique shows you as being logged into twitter BECAUSE it is blocked by Websense. His method for detecting a twitter login relies on attempting to access a twitter URL and looking at the HTTP status code that comes back. In your case Websense is not allowing the connection to twitter, but it is returning a valid HTML page with an OK status -- the page that says you've tried to access a site that is blocked.

I wouldn't call this status code abuse (2, Informative)

Anonymous Coward | more than 3 years ago | (#35009596)

This is a javascript thing, not a problem with HTTP result codes. And a cookie problem too.

The idea here is that your page offers a script to the user, the user elects to execute this script with his own permissions, and the script requests resources from some other website and either fails or succeeds, and that success/failure implies certain facts about the user.

But when you describe it like that, does the fact that success/failure is detected, really look like the dangerous and scary part, or do your eyebrows go up just a little bit higher at the idea of people downloading and executing scripts as themselves?

And then look deeper and think about what the cookie is. Facebook and gmail offer you a cookie to send with future page requests as login credentials instead of having to enter a username/password or session identifier on every single page; that cookie is yoursand you are responsible for it and it shouldn't be sent out just whenever anyone wants to use it. And yet an img tag on some other website's page causes behavior that results in your cookie being sent to facebook? That's pretty much the essence of CSRF.

So we've got people running untrusted scripts, doing it as themselves, and CSRFs happening. And you're calling attention to HTTP status codes? Sheesh. That final tiny bit of the puzzle is insignificant.

Re:I wouldn't call this status code abuse (1)

Lennie (16154) | more than 3 years ago | (#35010036)

The real solution is to set a cookie with a path on the site where people are logged in and not have any images in that path on the webserver.

Re:I wouldn't call this status code abuse (1)

Lennie (16154) | more than 3 years ago | (#35010120)

Or use a different domain ofcourse.

Re:I wouldn't call this status code abuse (1)

Lennie (16154) | more than 3 years ago | (#35010176)

I re-read part of the article, seems not all browsers check if it is valid javascript if a script-tag is used. I consider that a browser bug.

CsFire Blocks (0)

Anonymous Coward | more than 3 years ago | (#35009670)

The example script correctly showed me being logged in on Facebook.
Glad it did, made me realize that I'd forgotten to turn CsFire [mozilla.org] back on for God knows how long.
Now it falsely states that I'm not logged into Facebook. What'd I do without my tinfoil-firefox-plugins?

Or just use NoScript w/ FF (3, Informative)

228e2 (934443) | more than 3 years ago | (#35009692)

First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Please enable JavaScript).
Are you logged into Twitter ? (Please enable JavaScript)
Are you logged into Facebook? (Please enable JavaScript)

:o

Re:Or just use NoScript w/ FF (1)

tim_gladding (220795) | more than 3 years ago | (#35010516)

NoScript FTW

This is just a CSRF attack (3, Informative)

brunes69 (86786) | more than 3 years ago | (#35009760)

The author of this article seems to have discovered the CSRF attack. Congratulations and welcome to the year 1990.

http://en.wikipedia.org/wiki/Cross-site_request_forgery [wikipedia.org]

Re:This is just a CSRF attack (1)

moderatorrater (1095745) | more than 3 years ago | (#35011126)

That's exactly what he's done. I'm surprised more people aren't yawning over this. I remember when this was demonstrated only showing your gmail contacts instead of just whether you're logged in or not.

The only novel thing he appears to have done is trying to load a static resource that requires you to be logged in. I haven't seen it done this way before, but it's a small refinement on an existing attack, not a novel attack.

Sort of... (1)

self assembled struc (62483) | more than 3 years ago | (#35010094)

Only he thinks I'm logged into Facebook. But I don't have a Facebook account, so I can't be. And this is my work computer which gets locked when I leave my desk so no one else has logged in (plus I have an office door that I lock behind me).

*tin foil hat time*
I even have *facebook.com and *fbcdn* blocked in AdBlockPlus though since I don't really want Facebook building a user-profile about me with all those nefarious "like" buttons it got chumps to place on none-facebook sites. They dont' need to know what articles I read on the NY Times and correlate to what articles I read on Wired cross-referenced with the articles I read on Slate.

So, really, this "sort of" works, but you can't rely on it.

It is wrong. (0)

Anonymous Coward | more than 3 years ago | (#35010114)

I am logged into gmail, and the article says I am not.

Article not entirely correct (1)

rs1n (1867908) | more than 3 years ago | (#35010156)

I read the article and tested if the code works -- and it does. However, the article is somewhat misleading -- or at least I found that it was not as clear as it should have been with "logged in."

For example, I logged into my gmail account, and close the tab without logging out. The code from the article shows that I am still logged in -- true from a technical standpoint, but I closed out the gmail tab already. Likewise with facebook. However, all the code can really do is test whether or not the current computer you are using had previously had an account logged in (and is still logged in). It does not know that it is my account, or my wife's account, etc.

To use this code to check a user's online status -- well, you run into the same problem as aforementioned. So you can't even use the information to get useful browsing information about the current user. At best, you can say that the current user is using a machine that has had a gmail account logged into it, etc.

Worse than you think (2)

xkr (786629) | more than 3 years ago | (#35010278)

I did a small amount of testing and it appears to me that this technique permits more leaks of user's behavior than stated directly in the article.

Lots of websites leave you "logged in" for a while, including /. This means that the user does not have to have an open page or tab, and may not perceive that he or she is actually "logged in." For example, amazon.com.

These sites produce a different page and results for certain actions depending on that status. It looks like Cardwell's method could detect this difference. Suppose you knew what shopping sites a user preferred? First, that provides likely demographic and gender information. Second, if in fact you were able to steal login credentials you would know immediately where you could use them. Third, you could use that information for social engineering in phising fraud. Fourth, you could promote your particular item for sale, on say, ebay or amazon.

Click that logout button, cowboy!

Re:Worse than you think (1)

moderatorrater (1095745) | more than 3 years ago | (#35011174)

This is a standard CSRF attack that leaks less data than most. The potential for abuse is far smaller than the potential for abuse with any of the attacks that leak your browser history.

There is always the NoScript plugin. (1)

steeleyeball (1890884) | more than 3 years ago | (#35010400)

When I learned about cross site scripting I insalled Noscript right away.

Well, I was logged into gmail and he didn't detect (-1)

Anonymous Coward | more than 3 years ago | (#35010444)

You didn't detect anything I was logged into - so I would have to say stupid article

Known in 2008 and blogged (2)

mrkitty (584915) | more than 3 years ago | (#35010732)

Article screws with Twitter style settings (0)

Anonymous Coward | more than 3 years ago | (#35010888)

Something in the code of the page this story links to is managing to revert my Twitter style to the "old style". I haven't dug into it and don't plan to. Just sayin'. I can reproduce it all day. I am guessing whatever URL they're hitting to detect if you're logged in to Twitter is the culprit.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?