
Facebook detects if you are logged in Gmail - phwd
http://webapps.stackexchange.com/q/20018/40
======
raganwald
Not sure how they are doing this, but I have gotten tired of having to play
“whack-a-mole” with FB scraping private information from my browser in other
ways, so what I have done is sandboxed it: I have a separate “Facebook”
account on OS X, and I assume that anything I do on that account is shared
with Facebook.

I don’t log into Facebook for any reason on my normal user account, and I
don’t log into anything else on my Facebook account. They can still sniff
certain things using browser fingerprinting and so on, but this seems like the
best I can do for the moment on my desktop.

~~~
ceol
>Not sure how they are doing this

Did you happen to read the answers? Two specifically mention that Facebook
requests authentication access (OpenID, I believe) the first time. It appears
this user authorized Facebook at some point in the past and forgot about it.

When I look at this page:
<https://accounts.google.com/b/0/IssuedAuthSubTokens> I can see that at some
point in the past, I allowed Facebook access to my Google Contacts (probably
their "find friends" feature). Facebook could use that to check if you're
logged in.

~~~
kamkha
Did you happen to read the comments on the answers?

> Nope it's not that unfortunately. I tried it myself removing all linked
> accounts. The event above still happens.

~~~
ceol
I was talking about this one:
[http://webapps.stackexchange.com/questions/20018/facebook-
de...](http://webapps.stackexchange.com/questions/20018/facebook-detects-if-
you-are-logged-in-gmail/20429#20429)

 _"The OAuth tokens for Google are
at<https://accounts.google.com/b/0/IssuedAuthSubTokens> (it's different from
Linked Accounts)._

 _When I tried it, Facebook created a popup with a OAuth prompt the first time
and only briefly opened a blank popup on subsequent attempts. De-authorizing
facebook makes the prompts appear again."_

Unless they're talking about two different prompts?

------
the_mitsuhiko
It's not very hard to do. The trick is to know a resource that only the user
can access and then trigger an HTTP request to it.

For instance if you have website a and say the user profile "mitsuhiko" can
only be edited when you are logged in as "mitsuhiko" on
<http://a.example.com/profile/edit/mitsuhiko> you could use this code to see
if the logged in user is "mitsuhiko":

    
    
        <script type="text/javascript" src="http://a.example.com/profile/edit/mitsuhiko"
          onload="user_is_logged_in()" onerror="user_is_logged_out()" async="async"></script>
    

Why does this work? Because onload is fired if the resource answers with 200
OK, not if it's a valid script. onerror is called for any other error code.

So if you know what you are probing for: easy.

// Edit: Yes, this is most likely not what Facebook is doing if that's their
only method of security. However see my reply to the first comment here about
the security aspect for a possible way to solve this problem.

~~~
antimatter15
Except something like this would be easily spoofable, ie. you could set your
hosts file to make all a.example.com links return HTTP 200's, or open firebug
to call user_is_logged_in() and you could reset passwords without any email.

Also, for something like that you should use <img> instead so it's less of an
XSS risk.

~~~
the_mitsuhiko
> Except something like this would be easily spoofable, ie. you could set your
> hosts file to make all a.example.com links return HTTP 200's, or open
> firebug to call user_is_logged_in() and you could reset passwords without
> any email.

Yes. But depending on how gmail works it could me made reliable and secure.
For instance if you can share images with gmail users you could generate a
unique image for that user, do the same thing with an <img> tag, access the
image data with JavaScript, send it back to the server and compare if the
contents are the one you shared.

I do not have a gmail account so I don't know if this is possible, it it seems
like it would be possible for Google+ from briefly looking at it.

~~~
antimatter15
But with all that, you would need cooperation by both Google and Facebook for
the feature and it would be just as complex as simply using OAuth.

~~~
the_mitsuhiko
It would work on any service that allows you to share an image with one
individual user.

~~~
antimatter15
The service would need to send out the Cross Origin Resource Sharing headers
in order for the image to be accessible via <canvas> and the service also
needs a means for the querying server to test if a certain image is indeed the
one associated with the user.

And if it was an image generated by Facebook, then Facebook must have access
to the account beforehand, and there's no benefit to using this system over
OAuth.

~~~
the_mitsuhiko
> The service would need to send out the Cross Origin Resource Sharing headers
> in order for the image to be accessible via <canvas> and the service also
> needs a means for the querying server to test if a certain image is indeed
> the one associated with the user.

// EDIT: ignore what was here, you're right.

------
antimatter15
When I tried the same thing, it popped up a OpenID dialog the first time, and
I confirmed it by seeing facebook.com on
<https://accounts.google.com/b/0/IssuedAuthSubTokens> Revoking the facebook
token causes Facebook to prompt again.

Subsequent attempts make the auth dialog flash briefly without displaying any
content and still present the "You can change your password immediately
because you are logged into your email account on this browser" message.

------
irrumator
That's pretty neat, I wish they'd publish on how they did this so others could
use it. Sounds like another great way to remove friction for the user, always
a great thing.

~~~
dylangs1030
Well...except people generally only appreciate these features when they're
allowed explicitly. It's kind of unsettling having a website spontaneously
know your activity elsewhere on the browser. Even well-intended, it can come
off as tracking data.

~~~
irrumator
It is explicit, apparently FB is using OpenID which is information supplied by
you linking the two accounts, completely opt-in. Besides, it's hardly tracking
you with this feature, a boolean: is user logged in to Gmail? Yes|No

If yes, user can be verified quickly and reset their password in an easier
fashion for them. Facebook is trying to make things smoother and not making
you jump into your email to click a link or copy some token id or something.
This is good UX.

~~~
dylangs1030
Ah, alright then. I was under the impression after reading the comments on the
page that OpenID wasn't the cause, I must have misread. Thanks

------
nikcub
It must be using oAuth. I think it was a mistake in the oAuth protocol to not
build in a default, short, expiration for secret keys. Now users (most of them
non-tech savvy) have to rely on visiting the apps page and manually removing
authorizations.

Edit: I just profiled the process, and it is using OpenID. It pops open a new
window that will check your OpenID login and call back with a success and will
close the window if it is. I had to slow down my connection to actually see
it.

------
nchuhoai
I think they should have used that information differently. Given they know
that you are already logged into your gmail, any visitor to your machine will
therefore know how to reset the password to his advantage.

Instead, they should have make a block, so that you are forced to logout of
your gmail and login to your gmail to enhance security.

~~~
joshmlewis
if they did this you might as well just go to your email and click on the link

~~~
nchuhoai
What i am saying is that you are forced to re-login to prevent someone
stealing your facebook account when he has access to your computer. given that
most people stay logged into their gmail, i think this would actually be
helpful

~~~
yuliyp
If you're logged into your e-mail, then someone can go to Facebook, and start
password recovery, and then go to your e-mail and click the recovery link. If
you're not logged in, then the OpenID authentication will require you to enter
your e-mail. This isn't a weakness, just a convenience.

~~~
nchuhoai
How is that not a weakness if anyone who has access to your computer can set
an arbitrary password on your facebook account? (given you are logged into
your gmail). I think it would be a nice feature if facebook would use that
information to force a relogin

------
jvandenbroeck
So Facebook uses oauth to login with google, I don't get why this is worth 114
points..

~~~
eddieplan9
IMHO, this does not seem to be related to OAuth. OAuth is three-leg
authentication, and the service provider - Google in this case - will prompt
the user to allow the consumer - facebook in this case - to allow an
authentication attempt. Except of course the user has done the authentication
in a previous attempt and facebook cached the token, but based on facebook's
wording, _because you are logged into your email account on this browser_ ,
does not seem to support this.

------
dylangs1030
Question...has anyone noticed if this relationship is reciprocal? I keep an
eye on my Gmail ads to see how far along they track my activity while I am
logged in and browsing, but has anyone noticed Gmail ads showing content that
wouldn't be there without placement or data from Facebook? Obviously this
doesn't apply if you sandbox Facebook as some commenters have, but if you use
both in one browser I mean. I may use Firebug and see if the two communicate
while I'm logged in...

------
zecg
This is really handy: <http://disconnect.me/>

------
Canada
This is why facebook never gets on my noscript whitelist, why I only use it in
a private browsing session and why I hardly ever login.

------
jarin
I ran into that the other day, and was pleasantly surprised. This is how
interconnectivity is supposed to work.

~~~
fauldsh
Exactly my thought as well, it's a pretty cool feature.

------
zerostar07
I ve seen this screen, but it only comes up after you give facebook Oauth
access to your Gmail.

------
MartinMond
I bought <http://fluidapp.com/> just for Facebook.

Now I have a nice separate window for browsing Facebook and nothing but
Facebook.

Separate cookie store is awesome.

~~~
gibybo
I like the idea, but I'm not sure if I can trust this level of sand-boxing.
Does it also use a separate cache (web history, etags, image cache, web cache,
etc)? a separate Flash storage? Silverlight storage? HTML5 storage? If any of
them are shared, something along the lines of Evercookie would have no problem
maintaining cookies across the apps.

~~~
MartinMond
Cache is completely separate, Flash and Silverlight (and plugins in general)
aren't sandboxed, which is why I deactivated them for my Facebook Browser. (no
more embedded youtube videos, but they open in my main browser, works just as
well)

------
whackberry
Facebook is amateur when compared to Google

------
res0nat0r
Another day, another post up in arms about Facebook privacy. This is getting
old.

