Abusing HTTP Status Codes To Expose Private Info 133
An anonymous reader writes "Here's a neat technique for testing if people are logged into other websites. Examples for Facebook, Twitter, GMail and Digg are provided." Like we needed more reasons to use the Chrome incognito function.
HTTP 502 - Service temporarily overloaded (Score:3, Informative)
Yes, that link is really neat!
HTTP 502 - Service temporarily overloaded
Re: (Score:2)
Re:HTTP 502 - Service temporarily overloaded (Score:4, Informative)
Slashdotted already? Damn!
Try Google's cache http://webcache.googleusercontent.com/search?oe=UTF-8&hl=pt&q=cache:kZYcDFibjHcJ:https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information [googleusercontent.com]
Re: (Score:2)
Link to Google cache [googleusercontent.com]
Re: (Score:1)
s/Corel/Coral/, obviously.
Re:HTTP 502 - Service temporarily overloaded (Score:4, Informative)
I believe you're supposed to abuse the HTTP error code somehow to get the content.
Corel Cache [nyud.net] also works.
Incognito anyways (Score:1)
This is quite scary. Though, I always use the Incognito mode when browsing sites I don't trust as much as others (ahem).
Re:Incognito anyways (Score:5, Insightful)
I doubt that halps against the technique presented in TFA, because it does not depend on Cookies or anything that is blocked in Incognito mode. Basically, they only rely to a HTTP request to the site to be checked, using JavaScript to determine the HTTP status. Thus, disabling JavaScript helps. The Firefox Addon "Request Policy" should, according to the autor of TFA, help, too.
Re: (Score:1)
It depends on there being some authentication between your browser and the website being checked; for gmail, that's a cookie...
Re: (Score:2)
Right, so blocking content from facebook.com (and fbcdn.com) except when you're on a facebook.com page, ought to work?
Adblock Pro gives me the ability to disallow content when it's "third party" and I already make use of this feature. If the page wasn't /.ed I'd give it a try...
Re: (Score:2)
The technique does depend on cookies (if indirectly), since social networking sites (and indeed any site using sessions) depend on cookies to maintain their sessions. Incognito mode doesn't block cookies; it just makes sure they're deleted once you close the browser, so it won't provide any defence against the "attack".
Also, it would be straightforward to adapt the technique to work in IE by using AJAX requests instead of script tags to query the URLs to be checked.
Re: (Score:2)
You can't do cross domain xhttprequests, so you can't do it via AJAX.
Re: (Score:2)
Yet another reason browsers need to sandbox sites from each other. No local file (cookie, flash cookie, DOM (HTML5) storage, browser cache, and of course URL history) should be accessible by any site other than the one that set it, in any way. If the HTTP requests were done in the same sandbox as the site performing them, they wouldn't have access to the other sites' cookies, and this problem wouldn't exist. This would also reduce the effectiveness of Facebook's and Google's tracking systems, but that's a g
Re: (Score:2)
Re: (Score:3)
You can log in, however it gives you a blank cookie jar to start. You would have to log in to Gmail from within Incognito mode in order for this site to detect you.
Re: (Score:3)
It disables existing cookies.
If you go and log into Facebook within the Incognito session, yes, this trick will work. But it can't tell if you were logged in before that.
Re: (Score:2)
Well, basically by disabling cookies Incognito mode loggs off your Facebook session, so the test (correctly) determines you are not logged in. Thus, you do not break the test itself.
If that's the same thing is debateable, I admit. But as the technique's potential might go beyond checking Cookie-based logons, I think the difference is worth pointing out.
The idea behind it... (Score:5, Informative)
The technique involves using Javascript to load an image only available when logged in to one of these services, and checking the HTTP status code returned.
Doesn't seem to be a ton of potential for abuse, but I suppose it's somewhat privacy-related.
Re:The idea behind it... (Score:5, Interesting)
Re:The idea behind it... (Score:4, Informative)
Looks like you've just rediscovered the idea of cross-site scripting.
Wikipedia says:
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. "
Re: (Score:2)
http://developers.facebook.com/docs/api [facebook.com] XSS magic supplied by FB [facebook.com]
Re: (Score:3, Informative)
Precisely why a lot of discussion boards do not allow images in their signatures, especially third-party images. Also why so many companies used to offer "free counters" and "enhanced email with images" (a' la IncrediMail) and whatnot as long as they were served from THEIR site. You can collect a lot of information about users of a site without the complications of having to compensate the site owners or having them cooperate with you.
Re: (Score:2)
I don't know... What if I would do this in my slashdot signature, trying to load a picture only available for people on the RIAA Intranet. Then I could show a different signature to the RIAA than to everyone else. Copy/Paste for FBI, your HR/employer, or even your spouse.
Except that this is a different method altogether. It's always been possible to push different contents based on different IPs, but this is about being able to tell whether or not you're logged into certain websites or not.
Re: (Score:2)
What if I would do this in my slashdot signature
I don't think /. allows javascript in signatures.
Re: (Score:2)
If you know someone has an account on FB/Google/Hotmail/PayPal and are currently logged into it you could try using a phishing attack. PayPal in particular keep demanding your password if you are inactive for five minutes. History shows that users see password prompts simply as barriers to what they want to do and so will mindlessly type their secret into any vaguely official looking box.
Law enforcement could use it to detect people with accounts on illegal sites too, e.g. Twitter or Facebook in countries w
Re: (Score:1)
How would this technique add any useful information to law enforcement's monitoring in countries with banned sites? Assuming I owned the HTTP stream (literally), I could discover pretty much whatever I want without resorting to this.
Look what happened in Tunisia. Since they literally owned the HTTP stream, they just injected code to harvest personal information. XSS protection is useless if the basic stream is compromised.
Re: (Score:2)
Say the person logs in over a VPN or Tor. The cookie they get to be logged in is the same as an unencrypted connection so it could be used to determine if they were circumventing blocks or trying to hide their actions online.
Re: (Score:2)
Compute cycles are cheap when you're running a script on someone else's computer. Why not just try it anyway? If they're not logged in, it won't work. If they are, it will. Checking to see whether or not you think it will work is only useful if you care about the user you're about to rob.
Re: (Score:2)
Because even the people who mindlessly type in their password to anything that looks vaguely like their paypal account might wonder if they either don't have a paypal account or haven't gone to paypal. You don't want them reporting your site too soon.
Re: (Score:3)
There was a similar technique that determines if a site has been visited, using user history and CSS. creating a bunch of links and using the :visited CSS tag then use javascript to loop through the links to determine their visited status (ie, using width, or padding, or colour set by the CSS)
The images thing seems to be along the same lines, as far as privacy issues go anyway.
Re: (Score:2)
Incog Newb (Score:1)
Re: (Score:2)
Why ? It does not solve this problem.
Not quite (Score:1)
It might not work as well as they think. I got this as I read down a bit:
Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.
Re:Not quite (Score:4, Interesting)
It might not work as well as they think. I got this as I read down a bit:
Actually, I am browsing with Chrome, but have not opened GMail in this session at all, not once since the reboot. Maybe it is something Chrome is doing, since I get "No, you're not logged in" while using the incognito window.
If you are using your gmail account to download bookmarks, custom home page or whatever Chrome may be logging into gmail for, it may throw off the result.
However, in saying that, I noticed that it reported me logged into Facebook, which I am not, nor have I since my last reboot. I'm running Firefox 3.6.13.
Re:Not quite (Score:4, Insightful)
Your login info could be stored in a cookie, in which case his image request will use the cookie info and automatically log you in.
Re: (Score:2)
And the point is not necessarily to know if you're logged in, but that you are a Facebook user (because your browser acknowledges that it is or has logged in).
Therefore, it succeeded.
-dZ.
Re: (Score:2)
Firefox and Chrome both have options to "Save Your Session" when you log out. Most people tend to have these on, because they're remarkably convenient. However, it means Session-Only cookies are not deleted on browser close (or even a computer reboot). If you open Firefox and all your old tabs open right back up with where you were last time you were on, you probably have this enabled. So even if you haven't logged in to a given website in a couple weeks, you may still be "logged in" as the previous log
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
The cached version (Score:4, Informative)
Slashdotted. (Score:1)
Re: (Score:1)
How it works (Score:5, Informative)
For GMail, he added an image to his own GMail account, which he set to "visible for everyone". On his own site he added an invisible img and tries to access the image in his GMail account. He then triggers a javascript function depending on the outcome of the img inclusion (onload or onerror), so he can make the decision, if the visitor of his website is logged in to GMail.
For Facebook, Twitter and Digg he uses http status codes. He tries to access some URL (https://www.facebook.com/imike3) via javascript and depending on the status code he gets, he can decide whether you are logged in or not. This attack doesn't work with IE or Opera, because they do not trigger the onload/onerror events when receiving invalid js.
Re: (Score:3)
It's expected behavior. Many many sites uses javascript or images loaded from elsewhere. Google Analytics, the little badges that say that your site cert is good, on and on.
Re: (Score:2)
So... does this mean things like NoScript automatically prevent the issue? I already put google-analytics on the blacklist so it's never displayed in the NoScript menu and the like.
Re: (Score:2)
So... does this mean things like NoScript automatically prevent the issue?
Yep - all his proof of concepts needed javascript turned on for his domain.
A little bit of No Script goes a long way (Score:1)
The "Hack" seems to only work when scripts are enabled for the full base of a particular website. If I only enable static.ak.fbcn.net, I can still use facebook functionality but this "hack" can't tell that I'm logged in. The point of my story is if you're using Firefox with NoScript (and you have a vague idea what you're doing), you're still safe. I'm still wary of using Chrome.
Um...no? (Score:2)
It says I was logged into GMail (correct) and Facebook (incorrect).
Not only do I not have a Facebook account to be logged in to, the computer I'm using has never directly gone to facebook.com. Other sites may have inlined facebook stuff, but I still don't have an account there.
So what gives? No, no one else uses this computer. Yes, I am absolutely, 100% certain.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You didn't say which browser you are using. The article states that the facebook/twitter detects don't work in IE or Opera.
They didn't work in Firefox for me. Had to disable AdBlock and the Facebook one still didn't work (but thats blocked at work). Twitter worked after disabling ad block though even though I've not been on it today.
Re: (Score:2)
Well, if you read how the trick works, then you will understand why "blocked by company fw" explains that... Error on loading the images indicates you are logged in.
Re: (Score:2)
Re: (Score:1)
Nope (Score:1)
Ho hum (Score:2, Informative)
No, I am not (Score:1)
I was logged into Slashdot and that bloody web page said I was logged into facebook. I would NEVER use facebook. Damn liar....mumble mumble
Re: (Score:1)
I suspect this method has a "bug" or its not working as expected in Chrome:
1) I am logged into Google apps, but it says I am not.
2) I do not have a twitter account, but it says I am logged in (and its blocked by Websense).
Something odd is afoot.
Re: (Score:2)
He states that the Gmail version doesn't detect if you are logged into Google apps.
I suspect that his technique shows you as being logged into twitter BECAUSE it is blocked by Websense. His method for detecting a twitter login relies on attempting to access a twitter URL and looking at the HTTP status code that comes back. In your case Websense is not allowing the connection to twitter, but it is returning a valid HTML page with an OK status -- the page that says you've tried to access a site that is bloc
I wouldn't call this status code abuse (Score:2, Informative)
This is a javascript thing, not a problem with HTTP result codes. And a cookie problem too.
The idea here is that your page offers a script to the user, the user elects to execute this script with his own permissions, and the script requests resources from some other website and either fails or succeeds, and that success/failure implies certain facts about the user.
But when you describe it like that, does the fact that success/failure is detected, really look like the dangerous and scary part, or do your ey
Re: (Score:2)
The real solution is to set a cookie with a path on the site where people are logged in and not have any images in that path on the webserver.
Re: (Score:2)
Or use a different domain ofcourse.
Re: (Score:2)
I re-read part of the article, seems not all browsers check if it is valid javascript if a script-tag is used. I consider that a browser bug.
Or just use NoScript w/ FF (Score:4, Informative)
Are you logged into Twitter ? (Please enable JavaScript)
Are you logged into Facebook? (Please enable JavaScript)
Re: (Score:1)
NoScript FTW
Re: (Score:2)
This is just a CSRF attack (Score:3, Informative)
The author of this article seems to have discovered the CSRF attack. Congratulations and welcome to the year 1990.
http://en.wikipedia.org/wiki/Cross-site_request_forgery [wikipedia.org]
Re: (Score:2)
The only novel thing he appears to have done is trying to load a static resource that requires you to be logged in. I haven't seen it done this way before, but it's a small refinement on an existing attack, not a novel attack.
Re: (Score:2, Insightful)
Pray tell, how would one have executed a CSRF attack in 1990?
Re: (Score:2)
The same way one does in 2011?
Sort of... (Score:2)
Only he thinks I'm logged into Facebook. But I don't have a Facebook account, so I can't be. And this is my work computer which gets locked when I leave my desk so no one else has logged in (plus I have an office door that I lock behind me).
*tin foil hat time*
I even have *facebook.com and *fbcdn* blocked in AdBlockPlus though since I don't really want Facebook building a user-profile about me with all those nefarious "like" buttons it got chumps to place on none-facebook sites. They dont' need to know wh
Re: (Score:2)
There is perhaps a simple explanation for it, as the script only checks the return code and not the contents, an error page created by a corporate firewall (or something similar which blocks facebook with some explaining page) could also return 200 instead of an error and it would show you as logged in.
Article not entirely correct (Score:1)
For example, I logged into my gmail account, and close the tab without logging out. The code from the article shows that I am still logged in -- true from a technical standpoint, but I closed out the gmail tab already. Likewise with facebook. However, all the code can really do is test whether or not the current
Worse than you think (Score:3)
I did a small amount of testing and it appears to me that this technique permits more leaks of user's behavior than stated directly in the article.
Lots of websites leave you "logged in" for a while, including /. This means that the user does not have to have an open page or tab, and may not perceive that he or she is actually "logged in." For example, amazon.com.
These sites produce a different page and results for certain actions depending on that status. It looks like Cardwell's method could detect this difference. Suppose you knew what shopping sites a user preferred? First, that provides likely demographic and gender information. Second, if in fact you were able to steal login credentials you would know immediately where you could use them. Third, you could use that information for social engineering in phising fraud. Fourth, you could promote your particular item for sale, on say, ebay or amazon.
Click that logout button, cowboy!
Re: (Score:2)
There is always the NoScript plugin. (Score:1)
Known in 2008 and blogged (Score:3)
Somebody submit a bug report (Score:3)
I really can't believe this hasn't been solved for Firefox. The fix is really simple - if the content-type of the request is not javascript, then fire the onerror condition as well.
The other worrying thing is that you can perform actions that impersonate the user as long as they use GET requests. For example, I can log you out of Slashdot by putting the logout URL as the javascript source. I don't really see a way around that other than using HEAD requests for 3rd-party domains.
Re: (Score:2)
That wouldn't work for the Google example -- the content-type of the <img> is an image type. Similarly, if the site was actually serving JavaScript only to logged-in users, you could request one of those resources in the <script> tag.
Re: (Score:2)
I believe you didn't read it clearly.
It's a script tag pointing to an image at Google INSTEAD of a script file:
<script type="text/javascript" onerror="logged_in()" onload="logged_in()" src="http://someimageatgoogle"></script>
It was returning successful when the content loaded, regardless of the actual content-type returned. Even though, instead of text/javascript, it actually returns image/gif and binary data, the event handlers return based on the HTTP status code rather than the success of ac
Re: (Score:2)
Sorry - one of those logged_in() should have read not_logged_in()
Re: (Score:2)
No -- the Facebook and Twitter ones work like that. The Gmail exploit, in TFA, is the following code:
<img style="display:none;" />
onload="logged_in_to_gmail()"
onerror="not_logged_in_to_gmail()"
src="https://mail.google.com/mail/photos/static/ <snip to avoid Slashdot filter >"
So it's an image loading an image, just from a different domain.
Re: (Score:2, Informative)
Half the text is cropped by an overhanging left-menu if I use my normal text size. Gah!
Re: (Score:3)
I don't see how his comment is flamebait. Increase your font size, you can easily replicate the bug he mentioned.
Re: (Score:1)
Re: (Score:2)
I can only get all the comments to display if I don't have the "Classic" interface. When I select it, only the first comment (and the first child of each comment under it) show up.
Perhaps they have the same issue?
Re: (Score:2)
To be fair, that's because designers don't expect people to use non-standard font sizes in an age of browsers that have full-page zoom capability (although it's a good idea to make sure at least +/-2 font size works...I have to push it to +4 to get the text under the left menu), and getting text to wrap on web pages is generally a total bitch, and will continue to be until CSS3 rolls out.
Re: (Score:2)
But do all browsers have full-page zoom? And is it the default setting?
Re: (Score:2)
Yeah I'm pretty sure that's the default on all the latest browsers.
Re: (Score:3, Insightful)
The new /. still sucks big time. Yeah. Mod me offtopic, why dontcha.
More likely redundant since everyone knows it already.
Re: (Score:3, Insightful)
Everyone except those who should fix it, apparently.
Re: (Score:3, Informative)
You could write your own CSS or get an existing one [userstyles.org]
Re: (Score:3)
Ha. Possible. My alternative theory is that the new site is using our computers to make BitCoin. I have one core pegged at 100% utilization by Firefox when browsing the site.
Re: (Score:1)
I only *have* one core, you insensitive clod!
(and yes, it's very nicely pegged at 100%.)
Re:And let's not forget... (Score:4, Insightful)
It now takes 3-5 seconds to 'preview' a one line text post,
Wow, that's an improvement to before where it would take upwards of 10-20 seconds for the preview to finish.
Re: (Score:2)
It still takes 10-20 here.
Re: (Score:2)
Yes. Next!