Slashdot Mirror

← Back to Stories (view on slashdot.org)

Abusing HTTP Status Codes To Expose Private Info

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.

17 of 133 comments (clear)

  1. HTTP 502 - Service temporarily overloaded by Anonymous Coward · · Score: 3, Informative

    Yes, that link is really neat!
    HTTP 502 - Service temporarily overloaded

    1. Re:HTTP 502 - Service temporarily overloaded by prxp · · Score: 3, Informative

      Slashdotted already? Damn!

      Try Google's cache http://webcache.googleusercontent.com/search?oe=UTF-8&hl=pt&q=cache:kZYcDFibjHcJ:https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

    2. Re:HTTP 502 - Service temporarily overloaded by Steve+Max · · Score: 3, Informative

      I believe you're supposed to abuse the HTTP error code somehow to get the content.

      Corel Cache also works.

  2. Re:And let's not forget... by Culture20 · · Score: 3, Insightful

    The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.

    More likely redundant since everyone knows it already.

  3. The idea behind it... by ashidosan · · Score: 5, Informative

    The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.

    Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.

    1. Re:The idea behind it... by toetagger · · Score: 5, Interesting

      I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.

    2. Re:The idea behind it... by acooks · · Score: 4, Informative

      Looks like you've just rediscovered the idea of cross-site scripting.

      Wikipedia says:
      "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. "

    3. Re:The idea behind it... by natehoy · · Score: 3, Informative

      Precisely why a lot of discussion boards do not allow images in their signatures, especially third-party images. Also why so many companies used to offer "free counters" and "enhanced email with images" (a' la IncrediMail) and whatnot as long as they were served from THEIR site. You can collect a lot of information about users of a site without the complications of having to compensate the site owners or having them cooperate with you.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  4. Re:And let's not forget... by HarrySquatter · · Score: 3, Insightful

    It now takes 3-5 seconds to 'preview' a one line text post,

    Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.

  5. The cached version by antido · · Score: 4, Informative

    Is here.

  6. Re:Incognito anyways by PseudonymousBraveguy · · Score: 4, Insightful

    I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.

  7. Re:Not quite by ArcherB · · Score: 3, Interesting

    It might not work as well as they think. I got this as I read down a bit:

    First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Yes, you are logged in).

    Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.

    If you are using your gmail account to download bookmarks, custom home page or whatever Chrome may be logging into gmail for, it may throw off the result.

    However, in saying that, I noticed that it reported me logged into Facebook, which I am not, nor have I since my last reboot. I'm running Firefox 3.6.13.

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  8. How it works by mazesc · · Score: 5, Informative

    As the page is slashdotted, I just wanted to post how it is done here:

    For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.

    For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.

  9. Re:And let's not forget... by roka · · Score: 3, Informative

    You could write your own CSS or get an existing one

  10. Re:Not quite by Pteraspidomorphi · · Score: 3, Insightful

    Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.

  11. Or just use NoScript w/ FF by 228e2 · · Score: 3, Informative

    First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (Please enable JavaScript).
    Are you logged into Twitter ? (Please enable JavaScript)
    Are you logged into Facebook? (Please enable JavaScript)

    :o

    --
    Since when does being a Socialist mean 'someone who has a different opinion than me'?
  12. This is just a CSRF attack by brunes69 · · Score: 3, Informative

    The author of this article seems to have discovered the CSRF attack. Congratulations and welcome to the year 1990.

    http://en.wikipedia.org/wiki/Cross-site_request_forgery