Feeds

Man knows when you're signed in to GMail, Twitter, Digg

Porn and warez logins ahoy!

Providing a secure and efficient Helpdesk

A UK-based web developer has figured out a simple way to tell if visitors to his site are logged in to Gmail, Facebook, Twitter, Digg and thousands of other websites.

One method developed by Mike Cardwell of Nottingham makes use of status codes returned by many sites, which differ depending on whether a user is logged in or not. By embedding a small piece of JavaScript that contains a link to one of the sites he's curious about, he can immediately tell if a visitor is logged in. The method works reliably for Twitter, Facebook and Digg when visitors are browsing with Firefox, Safari or Chrome.

It doesn't work when visitors are using Internet Explorer or Opera.

The exploit works by identifying the HTTP status code that's returned when the visitor's browser encounters the link in Cardwell's script. A 200 code, indicating the request was successfully fulfilled, indicates the person isn't logged in, while 404, 500 and other error codes indicate the opposite.

“This can be an awkward problem to avoid if you're developing a website,” Cardwell writes here. “Some of these requests could be stopped by doing referrer checks; reject all external referrers for content only accessible when logged in.

Detecting whether a visitor is logged in to Gmail requires a different script that generates a hidden image stored in Cardwell's mail folder that's configured to be viewable to everyone. Cardwell said he reported his finding to Google and was told it was “expected behaviour.”

“You may not care that I can tell you're logged into GMail, but would you care if I could tell you're logged into one or more porn or warez sites?” Cardwell asks rhetorically. “Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?” ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.