Hacker News new | comments | show | ask | jobs | submit login

What is this useful for?



It helps you figure if a user is signed into a social network. One might think this is not possible because cross-origin restrictions but this trick shows you how to bypass it.


Could you explain how this works? Er, I mean why only the re-direct to the favicon works?


The login page will redirect to the favicon if the user is already logged in, or it will serve a regular HTML page if the user is not.

So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.

It could work with any image on the website, not just the favicon.


Though the redirect works only with images hosted on the same domain. The favicon was the only image I could find on twitter.com or facebook.com.

I reported this bug to every company listed there, but all of them said it is not relevant to their users' privacy.


Yeah, that's a very critical information. Thanks, guys!


This is showing that I'm logged in to Facebook but I don't have an account there anymore.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: