Slashdot Mirror

← Back to Stories (view on slashdot.org)

Abusing HTTP Status Codes To Expose Private Info

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.

7 of 133 comments (clear)

  1. Re:And let's not forget... by Culture20 · · Score: 3, Insightful

    The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.

    More likely redundant since everyone knows it already.

  2. Re:And let's not forget... by HarrySquatter · · Score: 3, Insightful

    It now takes 3-5 seconds to 'preview' a one line text post,

    Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.

  3. Re:Incognito anyways by PseudonymousBraveguy · · Score: 4, Insightful

    I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.

  4. Re:And let's not forget... by Magada · · Score: 2, Insightful

    Everyone except those who should fix it, apparently.

    --
    Something bad is coming when people are suddenly anxious to tell the truth.
  5. Isn't this just CSRF ? by Anonymous Coward · · Score: 0, Insightful

    Cross-Site Request Forgery ?

  6. Re:Not quite by Pteraspidomorphi · · Score: 3, Insightful

    Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.

  7. Re:This is just a CSRF attack by Anonymous Coward · · Score: 2, Insightful

    Pray tell, how would one have executed a CSRF attack in 1990?