Abusing HTTP Status Codes to Expose Private Information

When you visit my website, I can automatically and silently determine if you’re logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you’re logged into GMail, but would you care if I could tell you’re logged into one or more porn or warez sites? Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?

Ignoring the privacy implications for a second, as a website developer, you might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with “@gmail.com”… Perhaps you might want to make your Facebook “like” buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here’s how I achieve this:

…read more

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.