Slashdot Mirror
Abusing HTTP Status Codes To Expose Private Info
An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.
Yes, that link is really neat!
HTTP 502 - Service temporarily overloaded
Half the text is cropped by an overhanging left-menu if I use my normal text size. Gah!
Ha. Possible. My alternative theory is that the new site is using our computers to make BitCoin. I have one core pegged at 100% utilization by Firefox when browsing the site.
Something bad is coming when people are suddenly anxious to tell the truth.
This is quite scary. Though, I always use the Incognito mode when browsing sites I don't trust as much as others (ahem).
The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.
More likely redundant since everyone knows it already.
The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.
Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.
I only *have* one core, you insensitive clod!
(and yes, it's very nicely pegged at 100%.)
I've never really used incognito in chrome, maybe I should start...
It now takes 3-5 seconds to 'preview' a one line text post,
Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.
Is here.
Slashdotted. I guess everyone was curious!
It might not work as well as they think. I got this as I read down a bit:
Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.
If you are using your gmail account to download bookmarks, custom home page or whatever Chrome may be logging into gmail for, it may throw off the result.
However, in saying that, I noticed that it reported me logged into Facebook, which I am not, nor have I since my last reboot. I'm running Firefox 3.6.13.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Everyone except those who should fix it, apparently.
Something bad is coming when people are suddenly anxious to tell the truth.
As the page is slashdotted, I just wanted to post how it is done here:
For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.
For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.
You could write your own CSS or get an existing one
The "Hack" seems to only work when scripts are enabled for the full base of a particular website. If I only enable static.ak.fbcn.net, I can still use facebook functionality but this "hack" can't tell that I'm logged in. The point of my story is if you're using Firefox with NoScript (and you have a vague idea what you're doing), you're still safe. I'm still wary of using Chrome.
It says I was logged into GMail (correct) and Facebook (incorrect).
Not only do I not have a Facebook account to be logged in to, the computer I'm using has never directly gone to facebook.com. Other sites may have inlined facebook stuff, but I still don't have an account there.
So what gives? No, no one else uses this computer. Yes, I am absolutely, 100% certain.
Learning HOW to think is more important than learning WHAT to think.
I don't see how his comment is flamebait. Increase your font size, you can easily replicate the bug he mentioned.
Comment removed based on user account deletion
This doesn't work at all. I'm logged into Gmail and Facebook, neither of which it detected.
Another day, another guy thinking CSRF is something new.
Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.
I was logged into Slashdot and that bloody web page said I was logged into facebook. I would NEVER use facebook. Damn liar....mumble mumble
This is a javascript thing, not a problem with HTTP result codes. And a cookie problem too.
The idea here is that your page offers a script to the user, the user elects to execute this script with his own permissions, and the script requests resources from some other website and either fails or succeeds, and that success/failure implies certain facts about the user.
But when you describe it like that, does the fact that success/failure is detected, really look like the dangerous and scary part, or do your eyebrows go up just a little bit higher at the idea of people downloading and executing scripts as themselves?
And then look deeper and think about what the cookie is. Facebook and gmail offer you a cookie to send with future page requests as login credentials instead of having to enter a username/password or session identifier on every single page; that cookie is yoursand you are responsible for it and it shouldn't be sent out just whenever anyone wants to use it. And yet an img tag on some other website's page causes behavior that results in your cookie being sent to facebook? That's pretty much the essence of CSRF.
So we've got people running untrusted scripts, doing it as themselves, and CSRFs happening. And you're calling attention to HTTP status codes? Sheesh. That final tiny bit of the puzzle is insignificant.
First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Please enable JavaScript).
:o
Are you logged into Twitter ? (Please enable JavaScript)
Are you logged into Facebook? (Please enable JavaScript)
Since when does being a Socialist mean 'someone who has a different opinion than me'?
I received a similar message for Facebook further down the page. I have never, ever logged into Facebook on this machine.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
It said Yes for me (after I allowed the site in NoScript in FireFox), even though I don't have gmail open. I did have iGoogle and Google Voice up, which use the same ID. I guess any page that uses the Google log in would show a Yes, after javascript is turned on. Yet another reason to use NoScript for me.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
The author of this article seems to have discovered the CSRF attack. Congratulations and welcome to the year 1990.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Alternatively, if you don't like the new interface, you could go into your /. preferences and change the interface to "Classic". After all, that dynamic content does nothing to improve the content.
Comment removed based on user account deletion
Only he thinks I'm logged into Facebook. But I don't have a Facebook account, so I can't be. And this is my work computer which gets locked when I leave my desk so no one else has logged in (plus I have an office door that I lock behind me).
*tin foil hat time*
I even have *facebook.com and *fbcdn* blocked in AdBlockPlus though since I don't really want Facebook building a user-profile about me with all those nefarious "like" buttons it got chumps to place on none-facebook sites. They dont' need to know what articles I read on the NY Times and correlate to what articles I read on Wired cross-referenced with the articles I read on Slate.
So, really, this "sort of" works, but you can't rely on it.
And it told me I was not logged into Gmail while I was. Firefox 3.6.13.
2011. The year Gnome decided Linux will never be on the desktop.
I read the article and tested if the code works -- and it does. However, the article is somewhat misleading -- or at least I found that it was not as clear as it should have been with "logged in."
For example, I logged into my gmail account, and close the tab without logging out. The code from the article shows that I am still logged in -- true from a technical standpoint, but I closed out the gmail tab already. Likewise with facebook. However, all the code can really do is test whether or not the current computer you are using had previously had an account logged in (and is still logged in). It does not know that it is my account, or my wife's account, etc.
To use this code to check a user's online status -- well, you run into the same problem as aforementioned. So you can't even use the information to get useful browsing information about the current user. At best, you can say that the current user is using a machine that has had a gmail account logged into it, etc.
I did a small amount of testing and it appears to me that this technique permits more leaks of user's behavior than stated directly in the article.
Lots of websites leave you "logged in" for a while, including /. This means that the user does not have to have an open page or tab, and may not perceive that he or she is actually "logged in." For example, amazon.com.
These sites produce a different page and results for certain actions depending on that status. It looks like Cardwell's method could detect this difference. Suppose you knew what shopping sites a user preferred? First, that provides likely demographic and gender information. Second, if in fact you were able to steal login credentials you would know immediately where you could use them. Third, you could use that information for social engineering in phising fraud. Fourth, you could promote your particular item for sale, on say, ebay or amazon.
Click that logout button, cowboy!
I will create a sig when innovation restarts in the U.S.
When I learned about cross site scripting I insalled Noscript right away.
And the point is not necessarily to know if you're logged in, but that you are a Facebook user (because your browser acknowledges that it is or has logged in).
Therefore, it succeeded.
-dZ.
Carol vs. Ghost
http://jeremiahgrossman.blogspot.com/2008/03/login-detection-whose-problem-is-it.html
Believe me, if I started murdering people, there would be none of you left.
Yes. Next!
Carol vs. Ghost
I really can't believe this hasn't been solved for Firefox. The fix is really simple - if the content-type of the request is not javascript, then fire the onerror condition as well.
The other worrying thing is that you can perform actions that impersonate the user as long as they use GET requests. For example, I can log you out of Slashdot by putting the logout URL as the javascript source. I don't really see a way around that other than using HEAD requests for 3rd-party domains.
To be fair, that's because designers don't expect people to use non-standard font sizes in an age of browsers that have full-page zoom capability (although it's a good idea to make sure at least +/-2 font size works...I have to push it to +4 to get the text under the left menu), and getting text to wrap on web pages is generally a total bitch, and will continue to be until CSS3 rolls out.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?
I don't think "oppressive-regime.example.org" would bother with a cheap exploit like this.
The fact of the matter is that since they're the regime, they control the network, and are already sniffing your packets.
Easy to do with a browser like uzbl.
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
I can only get all the comments to display if I don't have the "Classic" interface. When I select it, only the first comment (and the first child of each comment under it) show up.
Perhaps they have the same issue?
The disappearing pencil trick. Let me show you it.
It still takes 10-20 here.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Firefox and Chrome both have options to "Save Your Session" when you log out. Most people tend to have these on, because they're remarkably convenient. However, it means Session-Only cookies are not deleted on browser close (or even a computer reboot). If you open Firefox and all your old tabs open right back up with where you were last time you were on, you probably have this enabled. So even if you haven't logged in to a given website in a couple weeks, you may still be "logged in" as the previous login session cookie has persisted.
~Anguirel (lit. Living Star-Iron)
QA: The art of telling someone that their baby is ugly without getting punched.
It also kinda screws up global CSS, in my case, black background, light text:pitch dark companion. Come to think of it, wikipedia does too...
I know tobacco is bad for you, so I smoke weed with crack.
But do all browsers have full-page zoom? And is it the default setting?
Yeah I'm pretty sure that's the default on all the latest browsers.
"When information is power, privacy is freedom" - Jah-Wren Ryel