
Show HN: Your Social Media Fingerprint (maybe NSFW) - Capira
https://robinlinus.github.io/socialmedia-leak/
======
zerognowl
This is why I use 'browser isolation', which is a way to separate different
types of surfing activity into different buckets. Currently the best way to do
this in Firefox is to create multiple profiles, or in Chrome, you can simply
add a different user/persona.

Having one profile, or even an entire dedicated browser just for Twitter/FB
ensures the login is not spilled over into other sites. If you're surfing the
web heavily, I would recommend spawning a new private window so cookies, and
other artefacts are not bleeding into your session.

It sounds like common sense, but many people have cookies and login
information persisting for years at a time in their browsing sessions. The
Mozilla Firefox team are planning to introduce a feature which makes
compartmented surfing sessions a lot more user-friendly by separating sessions
into tabs. Currently, the 'profiles' feature of Firefox is not user friendly
and requires a bit of tinkering with the filesystem.

~~~
Bartweiss
At risk of being depressing, it's worth knowing that a dedicated profiler can
reconcile accounts across all of the protections you've mentioned - not just
as a targeted attack, but algorithmically.

There are a lot of fingerprinting tricks which transcend cookie restrictions
and user profiles. The battery percent/value one will reconcile all accounts
on one device (as will several other like fonts). If you log into one bucket
on multiple devices, it becomes possible to traverse devices and reconcile
one-device profiles via the shared profile. If I were truly paranoid, I would
only trust "separation" if it involved a clean account on a clean device on a
clean network.

None of which is to say that you shouldn't do this! I do lots of privacy
things which aren't bulletproof, and I think other people should also.
Fighting common tracking structures is still progress, and tools like
bucketing and Privacy Badger are great ways to do this.

It's just also worth noting that dedicated profiling will break all but the
most pathological defensive measures.

~~~
antocv
Indeed.

Another trick is to change or settle for one very common user-agent across all
browsers, and to run them with differently sized windows.

~~~
emodendroket
At this point you may as well just go full rms and use wget to download pages
which you then read offline.

~~~
andai
Would it be possible to make a browser plugin to do exactly that?

~~~
emodendroket
Well why?

------
Pxtl
FYI, it's _very_ NSFW in the back-end. Your browser is sending requests to
obvious porn servers when you hit this link so it can test if you're logged in
to them.

~~~
xexers
Corporate IT admins, care to comment here? If you see a single connection to
youporn, do alarm bells go off?

~~~
ganeshkrishnan
Yes, we initiate protocol zero once the sirens sound off.

IT team then calls in air support

------
the8472
The firefox and tor devs are cooperating to upstream a tor browser feature
that isolates cookie stores and similar things based on the domain shown in
the URL bar[0]. Available in nightly by enabling privacy.firstparty.isolate =
true in about:config.

Additionally they're also also working on a more customizable version of that
called contextual identities[1], which eventually will also be manageable by
extensions[2]

And of course addons that block cookies in cross-origin requests or cross
origin requests in general such as µmatrix[3] also plug this hole.

[0]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1260931](https://bugzilla.mozilla.org/show_bug.cgi?id=1260931)

[1] [https://blog.mozilla.org/tanvi/2016/06/16/contextual-
identit...](https://blog.mozilla.org/tanvi/2016/06/16/contextual-identities-
on-the-web/)

[2]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1302697](https://bugzilla.mozilla.org/show_bug.cgi?id=1302697)

[3] [https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

------
diegorbaquero
In Chrome: Settings > Privacy > Content Settings > Tick 'Block third-party
cookies and site data'

Also set 'Send a "Do Not Track" request with your browsing traffic'

And install uBlock Origin, ofc.

~~~
pwenzel
As somebody who tried to build code respecting "Do Not Track" preferences, I
have to say that feature, while well-intended, is a complete farce.

Chrome, Safari, Firefox, IE9, IE10, and IE11 all use different APIs for Do Not
Track [1], so a front-end developer has to do a lot of extra leg work to check
if the user has the preference set.

I find it highly unlikely that most companies would go through the effort of
respecting Do Not Track.

[1] [https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/d...](https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/doNotTrack)

~~~
cpeterso
Wow. I am surprised at how many different ways Firefox, Safari, and IE9/10/11
implement an API as simple as navigator.doNotTrack.

~~~
amelius
This almost seems like a case of defective by design.

------
spacemanmatt
TIL YouPorn is considered social media

~~~
pluma
I heard they have an active comment section.

~~~
sliverstorm
I go there for the comments?

~~~
pluma
It's not YouPorn but there's this gem of a tumblr:
[http://pornhubcommentsonstockphotos.tumblr.com/](http://pornhubcommentsonstockphotos.tumblr.com/)

------
dorianm
So, loading favicon.ico via a redirect-type parameter:

    
    
        <img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">

------
amelius
Shouldn't a browser _not_ send cookies when the request comes from a different
domain? That would seem like the most sensible solution to me. Unless somebody
can show a caveat of course.

~~~
trendia
I believe that cross-site scripting [0] can be used to get around domain
restrictions.

[0] [https://en.wikipedia.org/wiki/Cross-
site_scripting](https://en.wikipedia.org/wiki/Cross-site_scripting)

[1] (This is not my area of expertise. If I'm not correct... please let me
know!)

~~~
AgentME
No, that's not really related. Cross-site scripting's name comes from the
vulnerabilities which allow an attacker to insert a <script> tag pointing at a
script on another domain (or an inline script). It doesn't have to do with
cookies and doesn't get around or really interact with the "block 3rd party
cookies" setting.

------
Scirra_Tom
Very good demonstration thank you.

Some interesting (an unethical) potential marketing opportunities here. For
example, at the bottom of articles only show share actions for social
platforms they are logged into.

~~~
amelius
Not logged in != doesn't have an account

~~~
CoryG89
Maybe you just use it for prioritization. For example, if they are logged into
Reddit and Twitter: show buttons for Reddit and Twitter, then just have a more
button that opens a dialog with other supported services.

------
denzil_correa
Apparently. I am not logged into anything. I tried it on Opera (along with the
internal ad blocker) and I'm not using Privacy Badger.

~~~
thescriptkiddie
This only works of you have third party cookies turned on. I'm not sure about
Opera, but I'm pretty sure Firefox has them off by default.

~~~
Tepix
Firefox has third party cookies enabled by default, PLUS they hide the setting
so you have to search for it to disable it.

I'm 100% sure that they designed it that way to please Google. The pull
requests to change it were ignored. And then they claim to be your partner in
keeping your privacy.

AFAIK only Safari has 3rd party cookies disabled by default. There are only
very few sites that require 3rd party cookies. I use none of them.

~~~
bzbarsky
> AFAIK only Safari has 3rd party cookies disabled by default.

Safari's "3rd party cookies disabled" behavior is not the same as the Firefox
one. Firefox's blocks third-party cookies (though it's hard to tell whether it
just blocks _setting_ or also blocks _sending). Safari does something where
they send the in some cases, but I'm having a hard time determining which
cases, possibly because they've changed behavior a few times. At one point
they blocked third-party cookies, _unless_ the third-party site has previously
been visited as a first-party site. What this meant in practice is that Safari
wouldn't block third-party cookies for things like Facebook or Google that you
probably have visited as a first party.

At this point they _may_ be doing double-keying of cookies instead (top domain
and third-party domain as key, not just the third-party domain). As I said,
it's a bit hard to tell from the documentation out there, which is conflicting
and contradictory, and I have no time right now to go read the source. And
even then they might only be doing double-keying in the "never visited as
first party" case...

The point of all of which is, "blocking third party cookies" is not a well-
defined thing and different browsers mean quite different things, with
different web compat impact and site breakage, when they say they do it.

------
mdesq
Using uBlock Origin and Privacy Badger defaults, it only showed me as logged
into Hacker News.

~~~
wink
Same for me, plys Slack. What it didn't notice: Reddit, GMail, Github, Paypal
and maybe more.

------
instakill
Scary. Netflix is showing logged out though, whereas I'm actually still logged
in.

~~~
r3bl
Yeah, it kind of shows conflicting results to me too.

While it correctly identified me being logged into HN, Medium, and Amazon, it
completely missed reddit, GitHub, Twitter, Facebook, etc. I'm assuming it
missed them because of me running Privacy Badger, but I'm kind of negatively
surprised that Privacy Badger failed to protect me from those three I
mentioned.

------
cha-cho
Pretty compelling information. Two observations: 1) No LinkedIn. Are they on
top of the problem? 2) I had fun results with the Epic Privacy Browser.

~~~
Capira
Couldn't find a redirect on LinkedIn that redirects without prompting you to
log in again... Can you?

------
lensi
Blocking third-party cookies gives you full protection in this and other
situations without any major annoyances.

Other subcomments here mention it, but every time this comes up it seems most
people (including the article) aren't aware that blocking 3rd party cookies is
a super easy fix and IMHO should be the default of browsers.

I've only ever had issues with this at my banking site because they use a
third party to host their solution (Work around is opening the iframe). But I
am now going to ask them to fix this (I guess all it requires is a sudomain
pointing to the third party?).

Please help spread the message and ask trouble web sites to fix their shit or
if I'm completely wrong, educate me and let's move things forward.

------
bhauer
This is the first I had heard of GETs to login pages executing a redirect when
the user is already logged in. I wasn't aware that so many did this.

Virtually every application I have built will render a simple response saying
"You are already logged in" if you GET the login URL with an active session.
As I understand the exploit, if a non-image is returned, the script assumes
you are not logged in.

What value is there in redirecting a GET if you're already logged in? You
redirect when the login form is submitted as a POST.

~~~
detaro
2 tabs open. I log in in one of them, then follow a link in the other that
points to the login page with a redirect to something that requires login.

or

2 tabs open, I follow links to login page on both. Login in one, F5 the other.

------
sua_3000
Can someone explain how this is NSFW? Is it because it's scraping for logins
which looks suspicious?

~~~
maket
I'm guessing from other comments that it checks logins on a wide variety of
sites, some of which may be NSFW. Some employers might not like you accessing
NSFW sites.

~~~
frederikvs
correct, among others it checks youporn. For this check it needs send a
request to that domain, which may get flagged in certain corporate IT systems.

~~~
jacquesm
That would be a pretty crappy check then. After all _any_ webpage could embed
that favicon.

~~~
ghurtado
Any page could also embed anything else NSFW, such as actual porn videos. The
assumption is that these sites are generally NSFW by association.

What would you propose instead?

~~~
jacquesm
If a filter is set up to not just block access to but also flag based on
something as trivial to embed as a URL one would hope the technology would be
a little bit more involved than a single hit on a .ico file for a flag.

~~~
ghurtado
A web filter / proxy does not have any way to tell whether any individual HTTP
request was requested as a result of HTML embedding, bookmarking, user entry
or clicking on a link.

~~~
jacquesm
Exactly. So it shouldn't be used to 'flag' any employees.

~~~
ghurtado
If your position is that monitoring HTTP traffic is useless because favicons
can be embedded into webpages, what method would you propose to monitor
employees browsing habits then?

Furthermore, how would you monitor the HTTP traffic of suspected terrorists?
After all, anyone can embed an image to "www.isis.com/blackflag.jpg" into any
webpage, so shouldn't we stop monitoring all such traffic?

Your original assertion was that "it's a pretty crappy check", but I think
what you are missing here is that _it 's the only possible check_, minor
irrelevant flaws and all.

~~~
jacquesm
No, it isn't the only possible check, but besides that the 'HTTP traffic of
suspected terrorists' will be nicely encrypted in a way that you won't be able
to intercept the URLS.

Lots of fearmongering here, if you want to monitor your employees browsing
behavior then you're going to have to supply them with the hardware they do
the browsing on, lock that hardware down and install some nannyware to do the
monitoring. That way you won't have to MITM each and every connection _and_
you'll have a more secure setup overall.

------
tomvangoethem
Attaching cookies to third-party requests is the source of many issues. In a
similar demonstration [0], I showed that browser-based timing attacks (which
can probably be considered as wont-fix as well) can be used to extract more
specific information from social networks (e.g. one's political preference
based on who they're following).

[0]: [https://labs.tom.vg/browser-based-timing-
attacks/](https://labs.tom.vg/browser-based-timing-attacks/)

------
DanielStraight
I don't know if anyone will read this at this point, but if you're going to
proof-of-concept an exploit, please make that clear in the title or have an
opt-in step with an explanation of what it will do like the EFF uses on
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

I do not appreciate being tricked into running your exploit proof of concept,
especially when you put content in it that I otherwise would not have clicked.

------
morinted
Nifty, with Firefox containers each one shows the "mode" I'm in. Hackernews
for default container, personal has my Google world + open source + Dropbox,
work has my work's Gmail world, and shopping has my Amazon account. It's like
a verification that containers work!

------
ge96
How does this work?

I think I get the basic concept of calling redirects to various sites from the
page, probably back-end like with php, CURL maybe?

I just don't get how you'd keep track of where it goes after the redirect
(trying a link) since you would now be on Facebook's site for example

~~~
proaralyst
There's an explanation further down the page, but essentially the redirect
they choose is an image. You can tell if an image loaded successfully using
JS, so if the redirect succeeds, that JS fires. If it fails (because the login
page isn't an image), some other JS runs instead.

~~~
ge96
Oh okay, that makes sense. It's like those tracking/analytics where they know
where a person came from previously to follow their "thought pattern" that is
something I'm not 100% in either.

------
fwn
Keep in mind that it doesn't show up the icons at all if you're using a
content blocker and activated Fanboy’s Annoyance List.

This is because the critical resource is named "/socialmedia-leak/socialmedia-
leak.js".

~~~
adregan
Thanks. I just enabled Fanboy’s Annoyance List in ublock origin. I've haven't
spent any time digging through that filter list, but I'm now interested. Any
other recommendations or resources?

~~~
fwn
Personally I went with EasyList and local EasyList against ads, Fanboy’s
Annoyance and Anti-ThirdpartySocial because social media integrations
generally annoy me. EasyPrivacy and Fanboy’s Enhanced Tracking List‎ for
privacy as well as the Adblock Warning Removal List‎ and this cool thing
against the EU cookie failure: [https://raw.githubusercontent.com/r4vi/block-
the-eu-cookie-s...](https://raw.githubusercontent.com/r4vi/block-the-eu-
cookie-shit-list/master/filterlist.txt)

It's not very complete, though.

~~~
mp3geek
Why does it generally annoy you?

~~~
fwn
If I want to share content on a social platform I just copy the link and post
it wherever I like. I don't need slow, endless lists of tiny buttons to nudge
me into something.

------
a3n
So, did I just make all those sites that I'm not logged in to aware of my IP
address? And if I didn't have ad blocking, would I then be seeing ads "of
interest to" people who visit those sites?

------
CapitalistCartr
Well its good to see its partly wrong for me. It shows HN correctly, but also
shows me logged in to Facebook and Tumblr, not correct. And not logged in to
gmail, which I am. Still, its a dangerous flaw.

~~~
posterboy
How is being showed logged in any good when it's not true? Wasn't there also
something about facebook creating accounts for people based on thier 3rd party
promotion link ins and what not?

------
Joof
Can't get this to work. Turned off ublock origin, but still using https
everywhere and blocking third-party cookies (for a recently discovered attack
that utilizes cookies).

------
throwaway049
It says I'm not logged into any of its sites. Chrome on Android 6. No special
privacy measures. I am logged into a few sites in the browser, including this
one.

------
nodesocket
Couldn't this be fixed by instead of using ?next= in the query string storing
a cookie.

For example:

    
    
        if(!auth) {
            setCookie('next', '/url-here', 1h);
        }
        redirect(login);
    

Login page action:

    
    
        if(cookieExists('next')) {
            next = getCookie('next');
            deleteCookie('next');
            redirect(next);
        } else {
            redirect('dashboard');
        }

~~~
detaro
Could easily muddle state with multiple tabs though, query string is clearer.

------
rosalinekarr
This 'fingerprint' changes as you login in and log out of various services, so
it's not very reliable for uniquely identifying users. Regardless, it could
still be used to profile you and then target content accordingly. For example,
if you're logged into Hacker News, you're probably a programmer and you're
probably more interested in an ad for web hosting than wedding dresses and
visa versa for Pinterest.

~~~
Capira
This is a more irrevocable persistent fingerprint:
[http://ubercookie.robinlinus.com/](http://ubercookie.robinlinus.com/) :)

------
edibleEnergy
Recorded the network requests (from incognito) for fun with BugReplay, (the
webapp I've been building for a bit over a year) here:
[https://app.bugreplay.com/shared/report/acf38fbd-f2e1-41c7-9...](https://app.bugreplay.com/shared/report/acf38fbd-f2e1-41c7-9b23-4031d9317d2b)

------
mp3geek
Not sure how much false positives this will cause, but its fixed in the
Enhanced Tracking list.

[https://github.com/ryanbr/fanboy-
adblock/commit/2385fb0b2b28...](https://github.com/ryanbr/fanboy-
adblock/commit/2385fb0b2b2803db4424ab9eda64370123eef81e)

------
K0nserv
I have uBlock Origin in 3rd party deny mode and privacy badger and it still
detects me as logged in to HN, Reddit, Slack and Stack Overflow.

EDIT: Following diegorbaquero's advice[0] solved it

0:
[https://news.ycombinator.com/item?id=12692485](https://news.ycombinator.com/item?id=12692485)

~~~
speps
I had that and enabled the "Fanboy Annoyance list" in uBlock Origin and now it
says I'm on none of the platforms.

~~~
fwn
Keep in mind that this is an accidental fix due to a suboptimal naming choice
by the website author.

A better solution would be to disable third-party cookies in your browser
settings.

Sending the do not track request generally increases the ability to
fingerprint you, as adversaries tend to ignore its purpose anyway.

------
alexholehouse
So, interestingly, it had me logged in to reddit, but I don't actually have a
reddit account at all. Thoughts?

~~~
sdegutis
Why not go to reddit.com and see who it says you're logged in as?

~~~
alexholehouse
Nothing, because I literally don't have an account.

------
bugmen0t
Tracking like this does not work when you use Firefox with Containers :) See
[https://wiki.mozilla.org/Security/Contextual_Identity_Projec...](https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers)

------
fitzwatermellow
Quick fix: embed favicon in data-uri ;)

~~~
TazeTSchnitzel
<meta rel=icon>!

------
owenversteeg
Hmm weird, it correctly detected everything except for the false negatives of
PayPal, Tumblr, and Spotify. Taking a look at the mechanism I have no idea why
this would happen, and opening the relevant links in my browser gives the
favicon as it should. Weird.

------
xerophyte12932
So I logged out of facebook and tried this tool again. Apparently it still
shows that I am logged into facebook.

I tried opening different facebook pages and it detects that I am logged out
but the tool still thinks I am logged in.

Any guesses why?

------
stabbles
Maybe you could add this leak to your list as well:
[https://news.ycombinator.com/item?id=12695451](https://news.ycombinator.com/item?id=12695451)

------
smoyer
All it told me is that I'm a nerd ... So it was beaten by my wife and kids.

"You are logged in to: Github, Hacker News"

Interestingly, I have a legitimate use for the hack behind this idea.

------
im_dario
Using Brave Browser it gets wrong Reddit and Flickr for me. I'm not even
logged on these.

On the other side, it doesn't detect Facebook. Only got Twitter right.

------
Retr0spectrum
I would be interesting to keep track of how common each particular fingerprint
is. It could potentially be used to identify an individual user.

------
eonw
what is happening is not legal in the US and a large porn website was sued for
doing it. they were printing hidden links on the page, then checking the color
with JS to see if you had visited the destination url or not. judge didn't
think it was a fair business practice. maybe these companies are not fixing
this because of this legal precedent and figured no one was doing it?

------
JoeAltmaier
Works mostly! I'm logged into HN of course; it says I'm not. Also Steam.

It got Facebook, Gmail, Youtube, Dropbox right.

Using default browser IE 11 on Win7

------
bcheung
Haha, I like how you added just one porn tube site so that you can add NSFW in
the title. Nice click baiting. lol

------
dhimes
Hmm. This works in Firefox 49, but gets it quite wrong in Google Chrome 53.
I'm on Linux Mint 17.2 64 bit.

------
kchoudhu
Who the hell makes accounts on porn sites?

------
eriknstr
>You are logged in to:

>No platform

>(or you're using something like Privacy Badger)

I'm using uMatrix and uBlock Origin :)

------
caoilte
That's a fun website to look at through Gorhill's uMatrix plugin.

~~~
rasz_pl
or ContentBlockHelper

------
mgalka
Interesting Instagram moved the favicon image but Facebook has not

------
paulddraper
Doesn't seem to detect being logged in to Netflix.

Or at least not for me.

------
Anagmate
for me, it throws several false alerts (Twitter, Flickr and few others). Is it
possible that it's caused by my browser extensions (uBlock Origin,
Disconnect)?

------
aswanson
Google is basically omniscient on a user-profile basis with years of search,
gmail, and youtube data on users. They should just write and algorithm and let
it send out job offers with no human intervention, just like search.

------
user5994461
Good news! It's blocked by uBlock Origin and noscript.

------
eximius
Hm. Doesn't seem to work on Chrome on Android.

------
metastart
Nothing shows up in my Epic Privacy Browser ;-D!!

------
chmike
What would be a possible fix to this problem ?

------
stanislavb
Nice work!

------
cs0
Nice, so now by using this I have an NSFW site logged in my workplace's DNS
log. Be careful if your employer checks such things.

~~~
joshmcmillan
Made the same mistake. "Maybe NSFW" isn't really clear – "makes a request to
YouPorn" is probably more fitting.

~~~
Declanomous
Yeah, I thought "Well I only log on to corporate email and HN on this
computer, so it's not going to drag up anything scandalous."

Our IT department LOVES complaining about users using the network
inappropriately, so I can look forward to a discussion with HR about this. I
guess I should have checked the comments first.

------
EJTH
Very simple and cool exploit. I wouldn't be surprised if this technique is
already in use on various ad platforms. A really simple pitfall I think most
of us can confess to having done in the past (redirect attributes are pretty
common in the wild).

------
rasz_pl
Is this a spoof? it is 100% WRONG for me on Vivaldi browser.

Says im logged to FB and nothing more. I dont even have a bookface account,
but I do have gmail/YT/github/reddit and few other open in the adjacent tabs
and fully logged in.

------
dimino
> without your consent

Untrue. I have given my consent. Why are these privacy posts _always_ using
some kind of nefarious and negative language?

