Hacker News new | past | comments | ask | show | jobs | submit login

The login page will redirect to the favicon if the user is already logged in, or it will serve a regular HTML page if the user is not.

So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.

It could work with any image on the website, not just the favicon.




Though the redirect works only with images hosted on the same domain. The favicon was the only image I could find on twitter.com or facebook.com.

I reported this bug to every company listed there, but all of them said it is not relevant to their users' privacy.


Yeah, that's a very critical information. Thanks, guys!


This is showing that I'm logged in to Facebook but I don't have an account there anymore.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: