| How using HTTP status codes can reveal private info
determine if site users are logged into Gmail, Youtube, Facebook etc. |
Demaestro
msg:4258411 | 4:08 pm on Jan 26, 2011 (gmt 0) |
When a user visits your site you can use HTTP response codes to determine if they are logged into a host of websites.
Suggestions to use this data in a "white hat" manner is if they are logged into Gmail and you have an email field in a form you can pre-populate it with @Gmail.com
A very interesting idea.
https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
<img style="display:none;"
onload="logged_in_to_gmail()"
onerror="not_logged_in_to_gmail()"
src="https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI"
/>
I generated the URL in the "src" attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the "My Picture" section. I then ticked the "Visible to everyone" checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you're logged into GMail. If you are logged into GMail, it returns an image. If you're not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. "onload" is triggered if an image is returned, but "onerror" is triggered otherwise.
I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as "expected behaviour" and ignored it.
|
|
|
Panthro
msg:4258502 | 6:02 pm on Jan 26, 2011 (gmt 0) |
So how does a site owner know if the visitor is logged in to their Google Account or not - isn't the visitor the only one seeing/not seeing the image?
|
lammert
msg:4258736 | 2:05 am on Jan 27, 2011 (gmt 0) |
Hi Panthro,
The site owner can craft his JavaScript code for the functions logged_in_to_gmail() and not_logged_in_to_gmail() in such a way that they call back to the home server with the relevant information.
|
|
|
