Abusing HTTP Status Codes To Expose Private Info

← Back to Stories (view on slashdot.org)

Abusing HTTP Status Codes To Expose Private Info

Posted by CmdrTaco on Wednesday January 26, 2011 @03:09AM from the i-see-what-you-did-there dept.

An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.

6 of 133 comments (clear)

Min score:

Reason:

Sort:

The idea behind it... by ashidosan · 2011-01-26 03:21 · Score: 5, Informative

The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.
Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.
1. Re:The idea behind it... by toetagger · 2011-01-26 03:28 · Score: 5, Interesting
  
  I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.
2. Re:The idea behind it... by acooks · 2011-01-26 03:46 · Score: 4, Informative
  
  Looks like you've just rediscovered the idea of cross-site scripting.
  Wikipedia says:
  "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. "
The cached version by antido · 2011-01-26 03:26 · Score: 4, Informative

Is here.
Re:Incognito anyways by PseudonymousBraveguy · 2011-01-26 03:28 · Score: 4, Insightful

I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.
How it works by mazesc · 2011-01-26 03:34 · Score: 5, Informative

As the page is slashdotted, I just wanted to post how it is done here:

For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.

For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.