

Exploit to detect which Social Networks you are logged into - TomAnthony
http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/

======
wingspan
The technique exploits the redirection mechanism of most login pages. Consider
the url "foo.com/login?redirect_after_login=%2Fimages%2Fspinner.gif". If you
put that url as the src of an img tag, and the user is logged in, some sites
will 302 you to the image. If you are not logged in, the src will be the login
page, and you can detect the difference with javascript.

Quote from the site:

 _What happens if you visit the login page with a ‘redirect on login’
parameter and you are already logged in? When implemented in a naive fashion
you are simply immediately redirected to the page specified in the parameter.
Some sites limit that parameter to being another page on the same domain, but
we’ll see that doesn’t help for this trick.

This mechanism is open to abuse in exactly the way I needed; I could set the
‘redirect on login’ page to be an image file on the same domain. For example:

<img
src="[https://twitter.com/login?redirect_after_login=%2Fimages%2Fs...](https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif)
/> In this example, if I am logged in Twitter is kind enough to 302 redirect
me to the image file I specified, but if I am not logged in I am show the
login page. It turns out that both Twitter and Google’s login mechanisms are
susceptible to exactly this trick. It seems LinkedIn and Tumblr are currently
immune to this, though I didn’t dig too deep so there might be another
redirect URL for them._

~~~
TomAnthony
Thanks for this. Annoyingly the site was offline a bit after making HN for
scheduled maintenance.

------
darth_static
It doesn't seem to detect logins if third-party cookies are blocked. I had all
third-party cookies blocked, and it didn't detect me logged into any of the
sites. Disabled blocking, and it detected me logged into Google and G+.

------
simcop2387
Seems to be overloaded still, anyone have any luck and can comment on how well
and what method it uses to work?

~~~
Kiro
Check the cached version:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://www.tomanthony.co.uk/blog/detect-
visitor-social-networks/)

------
prophetjohn
I'm logged into all except Facebook and it told me I'm only logged into
Twitter.

~~~
chrisdroukas
Are you referring to the image on that page? If so, go here:

[http://www.tomanthony.co.uk/tools/detect-social-network-
logi...](http://www.tomanthony.co.uk/tools/detect-social-network-logins/)

It's accurate for me.

~~~
prophetjohn
Ah, hell, I'm a smart one. In this case, yes, it works as advertised for me.

------
X-Istence
It didn't work, I am logged into all four yet it told me I was only logged
into Twitter.

~~~
TomAnthony
There is an image in the post to demonstrate the idea which records only
logged into Twitter, are you going to the actual demo page:
[http://www.tomanthony.co.uk/tools/detect-social-network-
logi...](http://www.tomanthony.co.uk/tools/detect-social-network-logins/)

In hindsight - a bit confusing. :)

