Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

How using HTTP status codes can reveal private info

determine if site users are logged into Gmail, Youtube, Facebook etc.

4:08 pm on Jan 26, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
votes: 0

When a user visits your site you can use HTTP response codes to determine if they are logged into a host of websites.

Suggestions to use this data in a "white hat" manner is if they are logged into Gmail and you have an email field in a form you can pre-populate it with @Gmail.com

A very interesting idea.


<img style="display:none;"

I generated the URL in the "src" attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the "My Picture" section. I then ticked the "Visible to everyone" checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you're logged into GMail. If you are logged into GMail, it returns an image. If you're not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. "onload" is triggered if an image is returned, but "onerror" is triggered otherwise.

I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as "expected behaviour" and ignored it.
6:02 pm on Jan 26, 2011 (gmt 0)

Preferred Member

5+ Year Member

joined:Jan 6, 2011
votes: 1

So how does a site owner know if the visitor is logged in to their Google Account or not - isn't the visitor the only one seeing/not seeing the image?
2:05 am on Jan 27, 2011 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2935
votes: 23

Hi Panthro,

The site owner can craft his JavaScript code for the functions logged_in_to_gmail() and not_logged_in_to_gmail() in such a way that they call back to the home server with the relevant information.

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members