Abusing HTTP Status Codes

Concerns over privacy online are an ever growing theme. Every day we see people complaining about the policies of facebook and the like. [Mike Cardwell] points out another method of gleaning a bit of personal data from you that you may not have seen yet. By embedding a hidden image or using some really simple javascript, he can tell if you are currently logged into Gmail, Twitter, Facebook, or Digg. While this could possibly be used for more nefarious things, he points out that you could also use it for customizing your website to better suit the experience of the browser. For example, if the “reader” is already logged into Gmail, you could have any email links automatically open a gmail instance instead of the local mail client.

25 thoughts on “Abusing HTTP Status Codes

  1. 30 seconds in, and I have to say “cool”. Here’s the first test, verbatim:

    “…First of all. Lets check if you’re logged into GMail right now (not including Google Apps)… (Please enable JavaScript). Now, how did I get that information?…”

    It’s a dangerous web out there everyone. Don’t surf without protection.

  2. I expected more abuse and less…. status codes.
    They can see if I’m logged in to a social networking site, OH NO!

    The real issue is if you can use the JS to pull down the whole page and then regex query for a username/email/real name/address/ip address, then you should worry.

  3. A neat trick, but I am really straining to see how this is a serious concern for anyone.

    His example at the top about being able to tell if you are logged into a porn site is really stretching it, since you need to adapt this trick to each and every site individually. Unless somebody is willing to go through and find URLs to check for every online service/forum in existence, there isn’t a whole lot to be worried about.

  4. scenario…?

    Check if the user is using gmail. open a popup with hidden JS (key tracking) and an iframe to log the user out of gmail. If the user then logs back in would it be possible for the hidden js to track keyboard input for that window?

    Sorry, haven’t programmed JS/web in a while so not sure if it would work? any thoughts?

  5. Who cares? CSRF like this has been around for AGES, and well known too. If I am not mistaken, gmail has had this “issue” for a long while, and was even pointed out here.

    You think this is a big deal? Take a look at getComputedStyle() in javascript. Set visited links and unvisited links to some static values; you can see quickly where this is going. You will be able to retrieve whether or not the user has visited an arbitrary url.

    This is nothing new.

  6. In chrome it tells me I’m logged into Twitter when I’ve never actually been to Twitter in recent memory. It does tell me I am logged into FB when I am though.

    In FF it tells me I’m not logged into Twitter and just says “Checking” for facebook, even though I am logged in there.

    Don’t really see the value of this, but it’s an interesting read.

  7. noscript.

    “First of all. Lets check if you’re logged into GMail right now (not including Google Apps)… (Please enable JavaScript). Now, how did I get that information? Really, really, easily… I generated a hidden image in my HTML similar to this:”

    I don’t think he knows what I’m logged into. Not much of a hack. Nor a new one.

  8. This trick *could* be used to detect if someone is a mod or admin on a given site (thus when they visit the page they see different content). That could result in delayed moderation of malicious links because the mods wouldn’t be able to verify that the link is malicious.

    Or it could be used to target/harass certain users or groups of users who can be uniquely identified by whether or not an image/page can be loaded.

    Or it could be used to trick people into thinking that a malicious page is associated with a site they already have a “trusted” relationship with.

  9. To people asking what is the point? The point is ££££££ / $$$$$$$$

    If the bad guys (advertising company) knows which sites you visit and how often, he can target adverts to you. this means more money in the bank to him.

    Maybe knowing which email provider you use does not give him much ammunition, but knowing what types of forum you visit regularly will do.

    As mentioned above, using hidden hyperlinks on a page and then checking if their colour turns to “visited” is already been used to track peoples internet habbits for a while.

    The internet is turning into a pretty f*cked up place to hang out…

  10. I hoped everyone is using one browser for the casual websites and the other (one window or tab at the time) for the “risky” and “interesting” side of the web.
    Surfing without script, history and cache control is asking for trouble.

  11. Most of the suggested abusive uses people are coming up with here seem to be completely ignorant of existing blocks on cross-domain access.

    Site X cannot load up a Gmail page and parse it for information because it’s in a different domain. Likewise, Site X can’t open up a popup to Gmail’s login screen with keylogging enabled because it’s a different domain.

    The closest you can get to accessing information from an external domain through Javascript alone is this method, or by checking the rendered colour of external links to see if they’ve been visited, and even that’s probably been removed now.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.