Abusing HTTP Status Codes To Expose Private Info 133
Posted
by
CmdrTaco
from the i-see-what-you-did-there dept.
from the i-see-what-you-did-there dept.
An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.
Re:And let's not forget... (Score:3, Insightful)
The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.
More likely redundant since everyone knows it already.
Re:And let's not forget... (Score:4, Insightful)
It now takes 3-5 seconds to 'preview' a one line text post,
Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.
Re:Incognito anyways (Score:5, Insightful)
I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.
Re:And let's not forget... (Score:3, Insightful)
Everyone except those who should fix it, apparently.
Isn't this just CSRF ? (Score:0, Insightful)
Cross-Site Request Forgery ?
Re:Not quite (Score:4, Insightful)
Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.
Re:This is just a CSRF attack (Score:2, Insightful)
Pray tell, how would one have executed a CSRF attack in 1990?