Slashdot Mirror

← Back to Stories (view on slashdot.org)

Abusing HTTP Status Codes To Expose Private Info

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.

3 of 133 comments (clear)

  1. The idea behind it... by ashidosan · · Score: 5, Informative

    The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.

    Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.

    1. Re:The idea behind it... by toetagger · · Score: 5, Interesting

      I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.

  2. How it works by mazesc · · Score: 5, Informative

    As the page is slashdotted, I just wanted to post how it is done here:

    For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.

    For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.