Welcome to WebmasterWorld Guest from 54.159.52.10

Forum Moderators: phranque

Message Too Old, No Replies

How using HTTP status codes can reveal private info

determine if site users are logged into Gmail, Youtube, Facebook etc.

     

Demaestro

4:08 pm on Jan 26, 2011 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



When a user visits your site you can use HTTP response codes to determine if they are logged into a host of websites.

Suggestions to use this data in a "white hat" manner is if they are logged into Gmail and you have an email field in a form you can pre-populate it with @Gmail.com

A very interesting idea.

[grepular.com...]


<img style="display:none;"
onload="logged_in_to_gmail()"
onerror="not_logged_in_to_gmail()"
src="https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI"
/>

I generated the URL in the "src" attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the "My Picture" section. I then ticked the "Visible to everyone" checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you're logged into GMail. If you are logged into GMail, it returns an image. If you're not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. "onload" is triggered if an image is returned, but "onerror" is triggered otherwise.

I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as "expected behaviour" and ignored it.

Panthro

6:02 pm on Jan 26, 2011 (gmt 0)



So how does a site owner know if the visitor is logged in to their Google Account or not - isn't the visitor the only one seeing/not seeing the image?

lammert

2:05 am on Jan 27, 2011 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Hi Panthro,

The site owner can craft his JavaScript code for the functions logged_in_to_gmail() and not_logged_in_to_gmail() in such a way that they call back to the home server with the relevant information.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month