Slashdot Mirror
Abusing HTTP Status Codes To Expose Private Info
An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.
Yes, that link is really neat!
HTTP 502 - Service temporarily overloaded
Half the text is cropped by an overhanging left-menu if I use my normal text size. Gah!
I concur. And well done on getting the first post. It now takes 3-5 seconds to 'preview' a one line text post, so my days of first posting are clearly numbered! Maybe that was the intent?
Ha. Possible. My alternative theory is that the new site is using our computers to make BitCoin. I have one core pegged at 100% utilization by Firefox when browsing the site.
Something bad is coming when people are suddenly anxious to tell the truth.
This is quite scary. Though, I always use the Incognito mode when browsing sites I don't trust as much as others (ahem).
The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.
More likely redundant since everyone knows it already.
The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.
Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.
I only *have* one core, you insensitive clod!
(and yes, it's very nicely pegged at 100%.)
I've never really used incognito in chrome, maybe I should start...
It might not work as well as they think. I got this as I read down a bit:
Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.
Home of The Suki Series
It now takes 3-5 seconds to 'preview' a one line text post,
Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.
Is here.
Slashdotted. I guess everyone was curious!
Everyone except those who should fix it, apparently.
Something bad is coming when people are suddenly anxious to tell the truth.
As the page is slashdotted, I just wanted to post how it is done here:
For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.
For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.
You could write your own CSS or get an existing one
The "Hack" seems to only work when scripts are enabled for the full base of a particular website. If I only enable static.ak.fbcn.net, I can still use facebook functionality but this "hack" can't tell that I'm logged in. The point of my story is if you're using Firefox with NoScript (and you have a vague idea what you're doing), you're still safe. I'm still wary of using Chrome.
It says I was logged into GMail (correct) and Facebook (incorrect).
Not only do I not have a Facebook account to be logged in to, the computer I'm using has never directly gone to facebook.com. Other sites may have inlined facebook stuff, but I still don't have an account there.
So what gives? No, no one else uses this computer. Yes, I am absolutely, 100% certain.
Learning HOW to think is more important than learning WHAT to think.
I don't see how his comment is flamebait. Increase your font size, you can easily replicate the bug he mentioned.
Cross-Site Request Forgery ?
Comment removed based on user account deletion
This doesn't work at all. I'm logged into Gmail and Facebook, neither of which it detected.
Another day, another guy thinking CSRF is something new.
I was logged into Slashdot and that bloody web page said I was logged into facebook. I would NEVER use facebook. Damn liar....mumble mumble
This is a javascript thing, not a problem with HTTP result codes. And a cookie problem too.
The idea here is that your page offers a script to the user, the user elects to execute this script with his own permissions, and the script requests resources from some other website and either fails or succeeds, and that success/failure implies certain facts about the user.
But when you describe it like that, does the fact that success/failure is detected, really look like the dangerous and scary part, or do your eyebrows go up just a little bit higher at the idea of people downloading and executing scripts as themselves?
And then look deeper and think about what the cookie is. Facebook and gmail offer you a cookie to send with future page requests as login credentials instead of having to enter a username/password or session identifier on every single page; that cookie is yoursand you are responsible for it and it shouldn't be sent out just whenever anyone wants to use it. And yet an img tag on some other website's page causes behavior that results in your cookie being sent to facebook? That's pretty much the essence of CSRF.
So we've got people running untrusted scripts, doing it as themselves, and CSRFs happening. And you're calling attention to HTTP status codes? Sheesh. That final tiny bit of the puzzle is insignificant.
The example script correctly showed me being logged in on Facebook.
Glad it did, made me realize that I'd forgotten to turn CsFire back on for God knows how long.
Now it falsely states that I'm not logged into Facebook. What'd I do without my tinfoil-firefox-plugins?
First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Please enable JavaScript).
:o
Are you logged into Twitter ? (Please enable JavaScript)
Are you logged into Facebook? (Please enable JavaScript)
Since when does being a Socialist mean 'someone who has a different opinion than me'?
The author of this article seems to have discovered the CSRF attack. Congratulations and welcome to the year 1990.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Alternatively, if you don't like the new interface, you could go into your /. preferences and change the interface to "Classic". After all, that dynamic content does nothing to improve the content.
Comment removed based on user account deletion
Only he thinks I'm logged into Facebook. But I don't have a Facebook account, so I can't be. And this is my work computer which gets locked when I leave my desk so no one else has logged in (plus I have an office door that I lock behind me).
*tin foil hat time*
I even have *facebook.com and *fbcdn* blocked in AdBlockPlus though since I don't really want Facebook building a user-profile about me with all those nefarious "like" buttons it got chumps to place on none-facebook sites. They dont' need to know what articles I read on the NY Times and correlate to what articles I read on Wired cross-referenced with the articles I read on Slate.
So, really, this "sort of" works, but you can't rely on it.
I am logged into gmail, and the article says I am not.
I read the article and tested if the code works -- and it does. However, the article is somewhat misleading -- or at least I found that it was not as clear as it should have been with "logged in."
For example, I logged into my gmail account, and close the tab without logging out. The code from the article shows that I am still logged in -- true from a technical standpoint, but I closed out the gmail tab already. Likewise with facebook. However, all the code can really do is test whether or not the current computer you are using had previously had an account logged in (and is still logged in). It does not know that it is my account, or my wife's account, etc.
To use this code to check a user's online status -- well, you run into the same problem as aforementioned. So you can't even use the information to get useful browsing information about the current user. At best, you can say that the current user is using a machine that has had a gmail account logged into it, etc.
I did a small amount of testing and it appears to me that this technique permits more leaks of user's behavior than stated directly in the article.
Lots of websites leave you "logged in" for a while, including /. This means that the user does not have to have an open page or tab, and may not perceive that he or she is actually "logged in." For example, amazon.com.
These sites produce a different page and results for certain actions depending on that status. It looks like Cardwell's method could detect this difference. Suppose you knew what shopping sites a user preferred? First, that provides likely demographic and gender information. Second, if in fact you were able to steal login credentials you would know immediately where you could use them. Third, you could use that information for social engineering in phising fraud. Fourth, you could promote your particular item for sale, on say, ebay or amazon.
Click that logout button, cowboy!
I will create a sig when innovation restarts in the U.S.
When I learned about cross site scripting I insalled Noscript right away.
http://jeremiahgrossman.blogspot.com/2008/03/login-detection-whose-problem-is-it.html
Believe me, if I started murdering people, there would be none of you left.
Something in the code of the page this story links to is managing to revert my Twitter style to the "old style". I haven't dug into it and don't plan to. Just sayin'. I can reproduce it all day. I am guessing whatever URL they're hitting to detect if you're logged in to Twitter is the culprit.
I really can't believe this hasn't been solved for Firefox. The fix is really simple - if the content-type of the request is not javascript, then fire the onerror condition as well.
The other worrying thing is that you can perform actions that impersonate the user as long as they use GET requests. For example, I can log you out of Slashdot by putting the logout URL as the javascript source. I don't really see a way around that other than using HEAD requests for 3rd-party domains.
To be fair, that's because designers don't expect people to use non-standard font sizes in an age of browsers that have full-page zoom capability (although it's a good idea to make sure at least +/-2 font size works...I have to push it to +4 to get the text under the left menu), and getting text to wrap on web pages is generally a total bitch, and will continue to be until CSS3 rolls out.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Pretty straightforward (however bloated) make a completely separated logical session per tab/window including their leafs of course (other tabs/windows generated by the primary one).
Think of a new browser concept where you can't load another page in 'just a tab' on your screen if that tab is already associated to a session/tab group
Dry Isolate cookies and all session information per logical session handler.
Is asks for quite a but of work but it's not impossible. It can also allow functions like "open an incognito tab" (not an entire new browser) when desired.
Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?
I don't think "oppressive-regime.example.org" would bother with a cheap exploit like this.
The fact of the matter is that since they're the regime, they control the network, and are already sniffing your packets.
This post should be removed or re-worded. I clicked on the link expecting to read a NEWS STORY about a malicious attack, not A MALICIOUS ATTACK ITSELF. Besides the fact that it's simply a form of viral advertising the author likely submitted himself to sell his book, the site it directs to does the very thing it warns against. It invades our privacy.
Would we tolerate someone warning about a new virus and then saying "by the way, if you're reading this, I infected your computer five minutes ago"?
The website author, whomever anonymously posted it here, and the Slashdot editors should be ashamed.
and if you redirect from a webbug, you can do more than see if someone is logged in - basic XSS evil
I can only get all the comments to display if I don't have the "Classic" interface. When I select it, only the first comment (and the first child of each comment under it) show up.
Perhaps they have the same issue?
The disappearing pencil trick. Let me show you it.
It still takes 10-20 here.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Discuss among yourselves: does 10 years of unrelenting shaming result in a more resilient product?
It also kinda screws up global CSS, in my case, black background, light text:pitch dark companion. Come to think of it, wikipedia does too...
I know tobacco is bad for you, so I smoke weed with crack.
But do all browsers have full-page zoom? And is it the default setting?
Yeah I'm pretty sure that's the default on all the latest browsers.
"When information is power, privacy is freedom" - Jah-Wren Ryel