homepage Welcome to WebmasterWorld Guest from 54.204.94.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
How using HTTP status codes can reveal private info
determine if site users are logged into Gmail, Youtube, Facebook etc.
Demaestro

WebmasterWorld Senior Member demaestro us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4258409 posted 4:08 pm on Jan 26, 2011 (gmt 0)

When a user visits your site you can use HTTP response codes to determine if they are logged into a host of websites.

Suggestions to use this data in a "white hat" manner is if they are logged into Gmail and you have an email field in a form you can pre-populate it with @Gmail.com

A very interesting idea.

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information


<img style="display:none;"
onload="logged_in_to_gmail()"
onerror="not_logged_in_to_gmail()"
src="https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI"
/>

I generated the URL in the "src" attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the "My Picture" section. I then ticked the "Visible to everyone" checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you're logged into GMail. If you are logged into GMail, it returns an image. If you're not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. "onload" is triggered if an image is returned, but "onerror" is triggered otherwise.

I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as "expected behaviour" and ignored it.

 

Panthro



 
Msg#: 4258409 posted 6:02 pm on Jan 26, 2011 (gmt 0)

So how does a site owner know if the visitor is logged in to their Google Account or not - isn't the visitor the only one seeing/not seeing the image?

lammert

WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4258409 posted 2:05 am on Jan 27, 2011 (gmt 0)

Hi Panthro,

The site owner can craft his JavaScript code for the functions logged_in_to_gmail() and not_logged_in_to_gmail() in such a way that they call back to the home server with the relevant information.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved