Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Your Social Media Fingerprint (maybe NSFW) (robinlinus.github.io)
911 points by Capira on Oct 12, 2016 | hide | past | favorite | 247 comments

This is why I use 'browser isolation', which is a way to separate different types of surfing activity into different buckets. Currently the best way to do this in Firefox is to create multiple profiles, or in Chrome, you can simply add a different user/persona.

Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.

It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.

At risk of being depressing, it's worth knowing that a dedicated profiler can reconcile accounts across all of the protections you've mentioned - not just as a targeted attack, but algorithmically.

There are a lot of fingerprinting tricks which transcend cookie restrictions and user profiles. The battery percent/value one will reconcile all accounts on one device (as will several other like fonts). If you log into one bucket on multiple devices, it becomes possible to traverse devices and reconcile one-device profiles via the shared profile. If I were truly paranoid, I would only trust "separation" if it involved a clean account on a clean device on a clean network.

None of which is to say that you shouldn't do this! I do lots of privacy things which aren't bulletproof, and I think other people should also. Fighting common tracking structures is still progress, and tools like bucketing and Privacy Badger are great ways to do this.

It's just also worth noting that dedicated profiling will break all but the most pathological defensive measures.

What about virtualization? It seems to me that something like Qubes might not at present protect against this (I don't know what information is available to guest/isolated domains on that system), but could be made to? One can easily lie to a browser about battery status and fonts from the OS too, for example.

I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.

It's very difficult to prevent side channel thumbprints—something as simple as traceroutes, wifi hotspots, caches (DNS, routing) can be uniquely identifiable. Add on top of this biometrics like how you type, how you move your mouse, etc, and it becomes very difficult to avoid concerted tracking efforts.

Of course, if you're not pissing off state actors, you're probably fine with qubes/tails.

if you're not pissing off state actors, you're probably fine

Thank you, this seems to be a point that is often ignored. Most of us don't need to hide our trail from a full wing of CIA analysts, just drive-by snooping and the like. (It of course doesn't help the Snowdens of the world)

I usually prefer to think of the middle case: someone with a grudge against me, who would love to blackmail me if they could get the dirt, and who has money to hire some blackhats and buy some zero-days and set up spear-phishing—but who doesn't actually have any access to the things that states get by default by sending fancy letters with Important Signatures.

It's interesting to work through the case of an absurdly rich private actor, because it works out differently for diferent companies; for some, they can just get a "man on the inside" to leak out your data easily enough, while for others (e.g. Gmail) the employees themselves aren't trusted to access user data, and have been firewalled/ACLed away from it to prevent just such intrusions. State actors get pretty much the same "help" from every service (save for the rare Lavabits of the world) but corporate actors get a rather unpredictable response landscape.

Presuming you are being pursued by a state actor, isn't using a computer at a library or Internet cafe enough to thwart most of that? Especially if you're using asynchronous store-and-forward protocols like NNTP or Freenet, where you can be long-gone from wherever the computer you used was, before anyone else ever sees "your" activity.

I remember at least one security expert commenting that if he ran an actual attack, his precautions would be "sitting in a computer lab using a stolen library card". Physical anonymity is by far the best cure for some of these things.

Very interesting list, thank you. I will have to read up on this subject in greater depth.

Qubes VMs cannot get the battery state. Assuming that the user didn't install custom fonts, the font list should be the same across all the installs.

I think Qubes closes most of the low hanging fruit in this space, but completely preventing fingerprinting is very hard and there are probably ways to leak identifying info.

Indeed, you can take this a step further and assign each bucket its own VPN, with JS turned off to minimize fingerprintability. You can even setup multiple virtual machines with multiple screen resolutions on each to further divide up your sessions, making your surfing modified beyond recognition. It might take a weekend or two to wrap your head around VMs and VPNs, but it's worth it.

Also, if you're paranoid about your VPN provider spying on you, you can install HTTP nowhere: https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/ to further compartmentalize the risk of spying. DNS, however is tricky to obfuscate, so I would recommend surfing under broad and generic domains, like TWITTER.com and places like REDDIT.com which often scrape and proxy the content from other sites so you don't need to visit those sites explicitly.

but is that in itself not another signature in a fingerprint?

Not necessarily. The amount of bits needed to fingerprint somebody is substantially lowered doing this, and although you stand out by taking extra steps like this, it's substantially better than a large portion of the configurations you do see.

Of course if your threat model is such that nation states are targeting you, either passively, or actively, then TOR is fitting in most cases, but TOR can prove to be overkill in most cases.

For example, if I'm surfing a website which blocks TOR, I can use a JonDoFox[1] profile to visit a website with a VPN, and achieve better-than-most anonymity for my needs, albeit not as rigorous as what TOR provides, but at least my connection has rudimentary protection from passive eavesdropping.

Keep in mind, VPNs are a countermeasure only and do not provide perfect privacy, but you can lessen the information gathered using the techniques I outlined. Surf under generic domains, and block traffic downloaded en clair

[1] https://anonymous-proxy-servers.net/en/jondofox.html

The problem is that even if the number of bits on the fingerprint shrink, you're also lowering the selection size.

It's a tradeoff, you can overdo it and certainly end up less anonymous than before.

A bigger fingerprint might make it easier to identify you but if there are more fingerprints, there might also be more fingerprints that are exactly the same, thus being drowned by the mass.


Another trick is to change or settle for one very common user-agent across all browsers, and to run them with differently sized windows.

At this point you may as well just go full rms and use wget to download pages which you then read offline.

Would it be possible to make a browser plugin to do exactly that?

Well why?

Be sure to use a common window size, though. If you pick a nice size with your mouse (as I always do), your window size is almost certainly unique when paired with just a few more bits of info.

it found nothing for me and I don't do anything pathological

This page didn't, because it only profiles third party cookies - that is, your browser explicitly admitting which sites you're logged into. Privacy Badger, Disconnect, or uBlock will all handle that, as will simply disabling the browser setting.

That was pretty much my point: this is a "nice" profile. One that targets unintentionally identifying image like browser window dimensions can easily track you despite all of those precautions.

Its only in testing right now, but Firefox Nightly has "Containers" so you can exactly have different "buckets" for different types of browsing - https://wiki.mozilla.org/Security/Contextual_Identity_Projec...

What I really want is something like this and it opening containers automatically based on url sets.

So going to facebook would go to the facebook set automatically and isolate facebook. But I don't have to manually open the "facebook profile" to do the switch. Same with twitter, amazon, google*, youtube, apple, etc.

If you have multiple accounts, you can have the interface pop up a "choose your subcontainer" automatically with the new google container or whatever. All browsing in that container would then stay in that subcontainer until you close it.

After Firefox adds this, wouldn't that be a relatively simple plug-in? Just maintain a list of known info greedy URLs? (Note, not a tracker blocklist)

Yeah, as long as it only activates that container based on typing in facebook or going to a bookmark, not just any random site hitting that URL. Which would then probably break following links to those sites - could you trigger it based on a normal navigation to that domain, but not based on some other site trying to fetch an image from it out of the blue?

and deny other containers from embedding facebook urls?

If you want. Put it as a checkmark option?

Yes! I use and love containers.

For anyone wanting to do this, the profile and no-remote command line options[1] may be useful if you want to create shortcuts to launch specific profiles

You might also want to consider using a different theme[2] in each profile to help avoid mixing them up if your running multiple instances simultaneously.

My initial use case for this was adding the lets encrypt staging certificate authority to the trusted root certificate authorities in a profile only used for testing.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Command_Lin... [2] https://addons.mozilla.org/en-US/firefox/themes/

I also use seperate browsers for some stuff, but these two addons is a must:

https://addons.mozilla.org/sv-SE/firefox/addon/self-destruct... together with https://addons.mozilla.org/sv-se/firefox/addon/i-dont-care-a...

Slightly easier way is to use the Disconnect/Privacy Badger extensions, along with uBlock Origin. It does a lot to prevent cookies from leaking across sites.

I use all 3 of those and a few others, yet it still detected quite a few sites I was logged in to.

If you're still worried, I'd take the time to learn and use uMatrix (https://github.com/gorhill/uMatrix) in addition to uBlock. For me, uMatrix has replaced Privacy Badger and other similar addons because they're no longer needed. It requires a bit more effort to maintain though.

Yeah. I use those, and this site doesn't do anything AFAICT.

> It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions.

If it requires quite a bit of domain knowlege (almost everything in security does), it's not 'common sense'.

I use the http://qupzilla.com/ browser because each private window is a new session, no cookies are shared between windows.

Great advice. I use Chrome for Google, twitter, and Facebook, and another browser for everything else. This isn't quite as good as your approach, but gives me some web platforms isolation.

I was horrified to find I'm logged in to FB with my 'common' cookie jar. At least that explains the recently increased accuracy of its targeted ads.

I only ever log in to Facebook in private browsing mode.

I only ever log into Facebook via a VPN to a remote VPS using a private window on a browser I don't use for anything else. And also...

Chain OUTPUT (policy ACCEPT 6309 packets, 599K bytes)

pkts bytes target prot opt in out source destination

  330 19800 REJECT     all  --  *      *              match-set block-facebook-ips dst reject-with icmp-port-unreachable
I have an ipset that matches FB networks.

Yikes. Sounds easier just to not use Facebook.

There in lies the problem, all those Facebook widgets on various 3rd party websites are used to track you. If you block FB's network ranges then it gets much harder for them to do that.

In effect you are "using" Facebook whether you want to or not; this is the issue some people have with shadow FB profiles.

Careful, too strict and you'll start to be identifiable from your conspicuous lack of identifiable information ;)

I always use incognito mode but apparently I must have inadvertently logged in to a regular frame at some point. Horrified!

Shouldn't disabling 3rd party cookies also prevent this kind of attack? The request for the facebook/twitter favicon is being made from a non-FB/TW page and so the login cookie won't be sent.

This would depend upon how the browser implements its 3rd party cookie blocking. If it only blocks setting cookies, but still allows existing cookies to be sent, then there would be no protection.

I've had a fantasy of not just using different browser profiles (effectively) for each site, but routing requests for each site through a different personally-run cloud-hosted proxy.

Someday maybe I'll get around to setting it up. Maybe.

Or you can enable basic privacy settings on about:config, NoScript, etc. I get "No platform" both on my phone and Desktop (though I don't have any social networks, I created a Facebook account to test).

Firefox Nightly has container tabs available right now and they are fantastic! Only thing missing is a shortcut / better way to open a different type of container tab.

Lately I've been using Opera Incognito with free builtin VPN for all general browsing and I highly recommend it. (I use Chrome to stay logged in to email).

This seems like a good plan. However I find it funny that one would use Chrome and be concerned about sites gathering information about you.

FYI, it's very NSFW in the back-end. Your browser is sending requests to obvious porn servers when you hit this link so it can test if you're logged in to them.

A more SFW version (took out YouPorn):


This version connects to squareup.com, twitter.com, www.facebook.com, accounts.google.com, accounts.google.com, plus.google.com, login.skype.com, www.flickr.com, www.spotify.com, www.reddit.com, www.tumblr.com, www.expedia.de, www.dropbox.com, www.amazon.com, www.pinterest.com, www.netflix.com, de.foursquare.com, eu.battle.net, store.steampowered.com, www.academia.edu, stackoverflow.com, accounts.google.com, github.com, medium.com, news.ycombinator.com, carbonmade.com, courses.edx.org, www.spiegel.de, slack.com, www.khanacademy.org, www.paypal.com

This one actually works for me! The other said that I was using Privacy Badger since it couldn't detect anything. I'm not, but I am using uBlock Origin. This one is only wrong about a couple (it doesn't register, for example, that I am logged in to G+, Khan Academy, Steam, Amazon, PayPal, or Skype).

You can actually have privacy badger black all of this if you play around with the settings.

I mean I think its too much to ask for a tool to be able to block everything right without a little human assistance.

Doesn't uBlock have a filter specifically for privacy (off by default I believe).

I actually had several of the extra filters enabled already, but only once I added "Fanboy's Enhanced Tracking List"[0] did uBlock Origin successfully block this technique. I'm not sure whether any of the other filters would accomplish the same result.

After enabling this filter, 0942v8653's version also failed.

[0] https://www.fanboy.co.nz/enhancedstats.txt

It has several you can choose from in fact, can be enabled in the options pane.

Thanks for the SFW version. Nice to see that uMatrix is doing it's job quite well and as expected.

FWIW, Spotify doesn't seem to get recognized properly. I am definitely logged in and it should show up when all my browser protections are disabled. HN showed up when I disabled everything, but not Spoitfy.

Yeah, that would've been nice to know ahead of time. Why not, for example, trigger the test when someone clicks a button, rather than taking someone's page visit as permission to try lighting up their organization's content filter?

I think it helps in conveying the fact that it is a vulnerability not a feature.

So any website (even your own company's internal one) can check stuff like this. And you can't do anything about it. Other than always using private browsing for anything you don't want your company/anyone else to know about.

I mean, if somebody is logged into YouPorn from work, that's not a problem I expect the developer of a tool like this to solve. What I expect the developer of a tool like this to do is not create problems by just arbitrarily making HTTP requests to porn sites without a prompt or a chance to opt out. That's a dick move.

When I first read that it was making these requests here in the comments, my reaction was similar. But then upon reflection, I don't think there's a problem for the author here. Why? Because all I did was click the link. Meaning if I was behind a corporate firewall or the like, this sort of thing could be happening all the time and unless I was always tracing requests in my browser or via MITM or logging DNS, I'd have no way of knowing.

Personally I view this as a browser and/or protocol issue (the kind that has trickled down from the origins of the web) and really can't fault the author for it. In fact I think it's appropriate the author left these requests in as it reflects an actual attack scenario better perhaps.

The point I'm making is that it's not necessary to hit a porn site in order to get the point across, and there are HN users whose organizations observe and don't care for that kind of thing.

Then how can such organizations handle other people randomly putting references to porn sites on their websites? With today's Internet being what it is, you can't assume that a request to YouPorn means someone is browsing porn at work. For all you know, the request could have been sent by an ad.

Then again, businesses in general aren't exactly paragons of intelligence either, so I wouldn't be surprised if someone made a fuss about it...

Absolutely!... If your company is doing web filtering, it will report an attempted hit from your browser to the YP site.

Yet another inequality to throw in the hopper

In bird culture, this is considered a dick move.

I believe using private browsing wouldn't matter. The IP I'm browsing from is still going to try pinging all those porn servers, and that's what's getting logged in the filter, not my browser history.

In my second paragraph, I was actually talking about your company sending such requests to know what you are logged into. Doesn't matter if you're using it right now. If you're logged in from days before, your cookies will be there. In incognito they won't be.

Privacy Badger will stop that tool if you edit the settings.

What a surprising problem. If the boss mistakenly accuses you of watching porn - why not explain why they're wrong and show them the site? If they won't accept that, then it means you're in danger with any web surfing you do at work and should already not be clicking random links. It's not the site's fault, it's your company's fault and your own for not protecting yourself against breaking their rules.

Personally, the idea that there's a network my traffic flows over, where that traffic is sniffed such that its content could potentially result in things like me losing my job, is just debilitating to me.

If I worked for such a company, all my traffic would be flowing over a VPN, full-stop.

> If I worked for such a company, all my traffic would be flowing over a VPN, full-stop.

When you work for such a company, all VPNs are blocked and prohibited, full-stop.

Source: worked for such a company

Pretty standard in any reasonably secure financial services org.

All direct Internet access is blocked and prohibited, with all attempts to access the Internet (tcp/80, tcp/443) transparently proxied via Bluecoat/Websense/Forcepoint/etc proxies, which filter based on URL categorisation. WSS generally doesn't work in this kind of environment. Everything else is dropped.

Any attempts to bypass filtering is a violation of IT policy and is sackable. Visiting sites that are blocked gets logged, doesn't generally get flagged up unless is a daily occurrence, and the first assumption is usually malware.

Source: Worked for several such companies, was responsible for perimeter security in some.

Tried it and... imagine my disappointment to find out it's ONLY connecting to youporn.

"very NSFW" and "serverS" were overstatements.

This is definitely NSFW if your workplace monitors the domains you connect to.

The monitoring must have funny statistics with all the ads going to <explicitdomain>.com

I figured "warn first, confirm the details later".

Corporate IT admins, care to comment here? If you see a single connection to youporn, do alarm bells go off?

Yes, we initiate protocol zero once the sirens sound off.

IT team then calls in air support

Yes, and then we bring out the fire hoses

No one is actually watching.

I removed the request to Youporn. Sorry if it caused any trouble.

Well, that was not very nice. Should have asked confirmation. I clicked on the link thinking there would be an explanation of what this project does.

The firefox and tor devs are cooperating to upstream a tor browser feature that isolates cookie stores and similar things based on the domain shown in the URL bar[0]. Available in nightly by enabling privacy.firstparty.isolate = true in about:config.

Additionally they're also also working on a more customizable version of that called contextual identities[1], which eventually will also be manageable by extensions[2]

And of course addons that block cookies in cross-origin requests or cross origin requests in general such as µmatrix[3] also plug this hole.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1260931

[1] https://blog.mozilla.org/tanvi/2016/06/16/contextual-identit...

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1302697

[3] https://github.com/gorhill/uMatrix

In Chrome: Settings > Privacy > Content Settings > Tick 'Block third-party cookies and site data'

Also set 'Send a "Do Not Track" request with your browsing traffic'

And install uBlock Origin, ofc.

As somebody who tried to build code respecting "Do Not Track" preferences, I have to say that feature, while well-intended, is a complete farce.

Chrome, Safari, Firefox, IE9, IE10, and IE11 all use different APIs for Do Not Track [1], so a front-end developer has to do a lot of extra leg work to check if the user has the preference set.

I find it highly unlikely that most companies would go through the effort of respecting Do Not Track.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Navigator/d...

The main behaviour is to add the DNT: 1 HTTP header. The JavaScript APIs are just a bonus to perhaps avoid sending unnecessary information. (But yes, it’s still a silly feature, because having to go out of your way at all to respect DNT isn’t really worth it.)

Wow. I am surprised at how many different ways Firefox, Safari, and IE9/10/11 implement an API as simple as navigator.doNotTrack.

This almost seems like a case of defective by design.

3rd party cookies should be disabled by default in all browsers. It significantly improves your privacy with minimal impact.

After many years of blocking 3rd party cookies the only thing that's broken for me is my bank's bill pay system, which is an iframe of a 3rd party service.

I whitelisted bandcamp because some bands use custom domains.

heh, same here. I can't use my banks ebilling website.

Try opening the iframe directly.

Also, complain to your bank.

Or just whitelist that one.

At a minimum, though, please block third-party cookies and site data.

I have pretty minimal customizations and plugins on browsers—very few plugins, no ad-blocking, no security or privacy enhancements.

I've had third-party cookies blocked for a long time now and there aren't any sites or logins that break down with them disabled (that I've encountered).

On the plus side, though, you don't have to worry about this crap. I'm logged into several of these sites and none of them show as leaked.

Personally, I don't set the DNT header.

You have no way of knowing if any sites are actually going to comply, and it actually provides an extra datapoint to fingerprint you with.

There are 100s of ways to fingerprint the browser and more exactly. I think is better to set it for the few that comply.

That's true, but they usually require running javascript etc.

Looking at the request headers is the simplest way of fingerprinting.

But isn't it better to at least ask instead of not asking at all?

As I said, simply asking for it will actually reduce your privacy for any service that doesn't comply, by making you more fingerprintable.

But there is some pressure on companies to comply. Plus they can't use the defense that you could have enabled it and chose not to.

Its pretty obvious the default should be the opposite to avoid a race condition like that.

It was proposed that DNT be the default, but then ad companies said if that were the case, then they would just ignore the header. They want users to explicitly opt out of tracking otherwise they will assume they agree to being tracked.

Are you suggesting a "please track me" header? Nobody would ever use it...

Keep in mind, uBlock Origin does not block social media widgets by default, and you have to enable it in settings. Widgets like Facebook like buttons, and Tweet buttons have to be blocked manually.

Checking the box to block 3rd party cookies is great advice, but I would not tell my Mom or any other casual user to do it. Why? You wind up with a lot of very weird, hard-to-track down bugs in web pages. I've seen failures in OAUTH and SSO pages, buttons that don't click, etc. Things you might not expect to break, break. And it's hard to track it back to that checkbox.

I suppose the "block third-party cookies and site data" must be why this is mostly broken at home (doesn't show logins to 5-6 sites that I'm logged in to), but works properly at work (didn't bother to set that option there). Never toyed with exactly what the "site data" part means, though.

Very nice. Here's how to do it on Firefox [1]

[1] https://support.mozilla.org/en-US/kb/disable-third-party-coo...

How many people browsing the web would know to do this? Would even 0.5% of users know?

I didn't know about either of these things and I consider myself fairly security savvy (for a programmer).

uBlock Origin looks way better than Ghostery, which I was using until now.

TIL YouPorn is considered social media

I heard they have an active comment section.

I go there for the comments?

It's not YouPorn but there's this gem of a tumblr: http://pornhubcommentsonstockphotos.tumblr.com/

You'd be surprised how active people are on YouPorn, PornHub, etc. Whole new world. And surprisingly, very civil people.

ironic that youporn is included in this list considering they lost in a class action suit for very similar business practices.


+1 very interesting case - company never located on US soil is being sued in California for something of a peanut size comparing to what Facebook does.

I know a bit off topic but I can't find how this case ended. Anyone with better Google skills??

youporn lost in the end, not sure what the end settlement was.

So, loading favicon.ico via a redirect-type parameter:

    <img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">

Shouldn't a browser not send cookies when the request comes from a different domain? That would seem like the most sensible solution to me. Unless somebody can show a caveat of course.

This is exactly what the "block third-party cookies" option does. It really should be enabled per default, possibly with a permission prompt for cases where they are useful.

The interesting thing here is that third-party cookies usually allow a central site (e.g. an ad server) to track a user across many other sites. It's almost the other way around here: "other sites" can track status on a "central site".

I didn't know this option exists. Thanks. I enabled the option and indeed, this social media fingerprint stopped working :)

I believe that cross-site scripting [0] can be used to get around domain restrictions.

[0] https://en.wikipedia.org/wiki/Cross-site_scripting

[1] (This is not my area of expertise. If I'm not correct... please let me know!)

No, that's not really related. Cross-site scripting's name comes from the vulnerabilities which allow an attacker to insert a <script> tag pointing at a script on another domain (or an inline script). It doesn't have to do with cookies and doesn't get around or really interact with the "block 3rd party cookies" setting.

That requires exploiting an XSS vulnerability in the target domain however. Such vulnerabilities are sadly common, but can be prevented.

Very good demonstration thank you.

Some interesting (an unethical) potential marketing opportunities here. For example, at the bottom of articles only show share actions for social platforms they are logged into.

Why is showing only pertinent share options unethical? Or is it the cross-site circumvention that you found unethical?

Ethics are subjective, some people may find the fact you're identifying what websites the user is logged into creatively in this way unethical as it divulges what services the user uses without them necessarily consenting/realising you have access to this information.

So, in one case you get a list of 10 share buttons, in another you get a list of 5 that you're logged in to already. The information doesn't leave your machine, it's your browser that discovers it and the information is presented to you - what in particular is your take in the ethical problem here? To me that's like a program arranging your contacts by order of use without explicit requesting permission to do so. The page is already causing your browser to request lots of URLs that you didn't explicitly allow.

Not logged in != doesn't have an account

Maybe you just use it for prioritization. For example, if they are logged into Reddit and Twitter: show buttons for Reddit and Twitter, then just have a more button that opens a dialog with other supported services.

For sure, but logged in == does have an account.

Sure, but if you identify they are logged into FB and Reddit, maybe only show those two options. If you can't determine they are logged into any service show them all.

Apparently. I am not logged into anything. I tried it on Opera (along with the internal ad blocker) and I'm not using Privacy Badger.

This only works of you have third party cookies turned on. I'm not sure about Opera, but I'm pretty sure Firefox has them off by default.

Firefox has third party cookies enabled by default, PLUS they hide the setting so you have to search for it to disable it.

I'm 100% sure that they designed it that way to please Google. The pull requests to change it were ignored. And then they claim to be your partner in keeping your privacy.

AFAIK only Safari has 3rd party cookies disabled by default. There are only very few sites that require 3rd party cookies. I use none of them.

> AFAIK only Safari has 3rd party cookies disabled by default.

Safari's "3rd party cookies disabled" behavior is not the same as the Firefox one. Firefox's blocks third-party cookies (though it's hard to tell whether it just blocks _setting_ or also blocks _sending). Safari does something where they send the in some cases, but I'm having a hard time determining which cases, possibly because they've changed behavior a few times. At one point they blocked third-party cookies, _unless_ the third-party site has previously been visited as a first-party site. What this meant in practice is that Safari wouldn't block third-party cookies for things like Facebook or Google that you probably have visited as a first party.

At this point they _may_ be doing double-keying of cookies instead (top domain and third-party domain as key, not just the third-party domain). As I said, it's a bit hard to tell from the documentation out there, which is conflicting and contradictory, and I have no time right now to go read the source. And even then they might only be doing double-keying in the "never visited as first party" case...

The point of all of which is, "blocking third party cookies" is not a well-defined thing and different browsers mean quite different things, with different web compat impact and site breakage, when they say they do it.

I'm 100% sure that they designed it that way to please Google.

And why would that be, if their deal with Google ended in 2014?

Sorry I was wrong about Firefox, I must have reconfigured mine and forgotten about it. My point was that Privacy Badger alone won't prevent this attack, you have to disable 3rd party cookies.

Using uBlock Origin and Privacy Badger defaults, it only showed me as logged into Hacker News.

Same for me, plys Slack. What it didn't notice: Reddit, GMail, Github, Paypal and maybe more.

Privacy Badger alone missed Reddit and the Google cluster, but picked off all of my other active logins. I'll be adding uBlock to see what it does with the survivors.

Scary. Netflix is showing logged out though, whereas I'm actually still logged in.

Yeah, it kind of shows conflicting results to me too.

While it correctly identified me being logged into HN, Medium, and Amazon, it completely missed reddit, GitHub, Twitter, Facebook, etc. I'm assuming it missed them because of me running Privacy Badger, but I'm kind of negatively surprised that Privacy Badger failed to protect me from those three I mentioned.

Another false negative: Pinterest.

Pretty compelling information. Two observations: 1) No LinkedIn. Are they on top of the problem? 2) I had fun results with the Epic Privacy Browser.

Couldn't find a redirect on LinkedIn that redirects without prompting you to log in again... Can you?

Blocking third-party cookies gives you full protection in this and other situations without any major annoyances.

Other subcomments here mention it, but every time this comes up it seems most people (including the article) aren't aware that blocking 3rd party cookies is a super easy fix and IMHO should be the default of browsers.

I've only ever had issues with this at my banking site because they use a third party to host their solution (Work around is opening the iframe). But I am now going to ask them to fix this (I guess all it requires is a sudomain pointing to the third party?).

Please help spread the message and ask trouble web sites to fix their shit or if I'm completely wrong, educate me and let's move things forward.

This is the first I had heard of GETs to login pages executing a redirect when the user is already logged in. I wasn't aware that so many did this.

Virtually every application I have built will render a simple response saying "You are already logged in" if you GET the login URL with an active session. As I understand the exploit, if a non-image is returned, the script assumes you are not logged in.

What value is there in redirecting a GET if you're already logged in? You redirect when the login form is submitted as a POST.

2 tabs open. I log in in one of them, then follow a link in the other that points to the login page with a redirect to something that requires login.


2 tabs open, I follow links to login page on both. Login in one, F5 the other.

Can someone explain how this is NSFW? Is it because it's scraping for logins which looks suspicious?

It retrieves the favicon (at least - haven't finished reading how it works) from YouPorn. If you're looking at DNS requests, it looks like similar to if you're browsing porn.

I'm guessing from other comments that it checks logins on a wide variety of sites, some of which may be NSFW. Some employers might not like you accessing NSFW sites.

correct, among others it checks youporn. For this check it needs send a request to that domain, which may get flagged in certain corporate IT systems.

That would be a pretty crappy check then. After all any webpage could embed that favicon.

Any page could also embed anything else NSFW, such as actual porn videos. The assumption is that these sites are generally NSFW by association.

What would you propose instead?

If a filter is set up to not just block access to but also flag based on something as trivial to embed as a URL one would hope the technology would be a little bit more involved than a single hit on a .ico file for a flag.

A web filter / proxy does not have any way to tell whether any individual HTTP request was requested as a result of HTML embedding, bookmarking, user entry or clicking on a link.

Exactly. So it shouldn't be used to 'flag' any employees.

If your position is that monitoring HTTP traffic is useless because favicons can be embedded into webpages, what method would you propose to monitor employees browsing habits then?

Furthermore, how would you monitor the HTTP traffic of suspected terrorists? After all, anyone can embed an image to "www.isis.com/blackflag.jpg" into any webpage, so shouldn't we stop monitoring all such traffic?

Your original assertion was that "it's a pretty crappy check", but I think what you are missing here is that it's the only possible check, minor irrelevant flaws and all.

No, it isn't the only possible check, but besides that the 'HTTP traffic of suspected terrorists' will be nicely encrypted in a way that you won't be able to intercept the URLS.

Lots of fearmongering here, if you want to monitor your employees browsing behavior then you're going to have to supply them with the hardware they do the browsing on, lock that hardware down and install some nannyware to do the monitoring. That way you won't have to MITM each and every connection and you'll have a more secure setup overall.

Attaching cookies to third-party requests is the source of many issues. In a similar demonstration [0], I showed that browser-based timing attacks (which can probably be considered as wont-fix as well) can be used to extract more specific information from social networks (e.g. one's political preference based on who they're following).

[0]: https://labs.tom.vg/browser-based-timing-attacks/

I don't know if anyone will read this at this point, but if you're going to proof-of-concept an exploit, please make that clear in the title or have an opt-in step with an explanation of what it will do like the EFF uses on https://panopticlick.eff.org/

I do not appreciate being tricked into running your exploit proof of concept, especially when you put content in it that I otherwise would not have clicked.

Nifty, with Firefox containers each one shows the "mode" I'm in. Hackernews for default container, personal has my Google world + open source + Dropbox, work has my work's Gmail world, and shopping has my Amazon account. It's like a verification that containers work!

How does this work?

I think I get the basic concept of calling redirects to various sites from the page, probably back-end like with php, CURL maybe?

I just don't get how you'd keep track of where it goes after the redirect (trying a link) since you would now be on Facebook's site for example

There's an explanation further down the page, but essentially the redirect they choose is an image. You can tell if an image loaded successfully using JS, so if the redirect succeeds, that JS fires. If it fails (because the login page isn't an image), some other JS runs instead.

Oh okay, that makes sense. It's like those tracking/analytics where they know where a person came from previously to follow their "thought pattern" that is something I'm not 100% in either.

Keep in mind that it doesn't show up the icons at all if you're using a content blocker and activated Fanboy’s Annoyance List.

This is because the critical resource is named "/socialmedia-leak/socialmedia-leak.js".

Yes, this needs to be made clear: Fanboy Annoyance won't protect you from Social Media Fingerprinting, it just prevents the proof of concept on that one site from working properly.

Disabling 3rd-party cookies in your browser is what protects people against Social Media Fingerprinting.

I always advise to disable 3rd-party cookies -- unfortunately this is not enabled by default in browsers. Even without this Social Media Fingerprinting issue, anyone looking at cookie payload (which also include local and session storage) on common top sites will be horrified at the result of not blocking 3rd-party cookies.

I found it's quite rare to find a site broken because 3rd-party cookies are blocked.

Fanboy here, fixed the site so it can load:


Thanks. I just enabled Fanboy’s Annoyance List in ublock origin. I've haven't spent any time digging through that filter list, but I'm now interested. Any other recommendations or resources?

Personally I went with EasyList and local EasyList against ads, Fanboy’s Annoyance and Anti-ThirdpartySocial because social media integrations generally annoy me. EasyPrivacy and Fanboy’s Enhanced Tracking List‎ for privacy as well as the Adblock Warning Removal List‎ and this cool thing against the EU cookie failure: https://raw.githubusercontent.com/r4vi/block-the-eu-cookie-s...

It's not very complete, though.

Why does it generally annoy you?

If I want to share content on a social platform I just copy the link and post it wherever I like. I don't need slow, endless lists of tiny buttons to nudge me into something.

Renamed it. Does it make any difference?

The blocked string is "socialmedia-"; filename is fine, folder name is still triggering the script being blocked.

So, did I just make all those sites that I'm not logged in to aware of my IP address? And if I didn't have ad blocking, would I then be seeing ads "of interest to" people who visit those sites?

Well its good to see its partly wrong for me. It shows HN correctly, but also shows me logged in to Facebook and Tumblr, not correct. And not logged in to gmail, which I am. Still, its a dangerous flaw.

How is being showed logged in any good when it's not true? Wasn't there also something about facebook creating accounts for people based on thier 3rd party promotion link ins and what not?

Can't get this to work. Turned off ublock origin, but still using https everywhere and blocking third-party cookies (for a recently discovered attack that utilizes cookies).

It says I'm not logged into any of its sites. Chrome on Android 6. No special privacy measures. I am logged into a few sites in the browser, including this one.

Couldn't this be fixed by instead of using ?next= in the query string storing a cookie.

For example:

    if(!auth) {
        setCookie('next', '/url-here', 1h);
Login page action:

    if(cookieExists('next')) {
        next = getCookie('next');
    } else {

Could easily muddle state with multiple tabs though, query string is clearer.

This 'fingerprint' changes as you login in and log out of various services, so it's not very reliable for uniquely identifying users. Regardless, it could still be used to profile you and then target content accordingly. For example, if you're logged into Hacker News, you're probably a programmer and you're probably more interested in an ad for web hosting than wedding dresses and visa versa for Pinterest.

This is a more irrevocable persistent fingerprint: http://ubercookie.robinlinus.com/ :)

Recorded the network requests (from incognito) for fun with BugReplay, (the webapp I've been building for a bit over a year) here: https://app.bugreplay.com/shared/report/acf38fbd-f2e1-41c7-9...

Not sure how much false positives this will cause, but its fixed in the Enhanced Tracking list.


I have uBlock Origin in 3rd party deny mode and privacy badger and it still detects me as logged in to HN, Reddit, Slack and Stack Overflow.

EDIT: Following diegorbaquero's advice[0] solved it

0: https://news.ycombinator.com/item?id=12692485

I had that and enabled the "Fanboy Annoyance list" in uBlock Origin and now it says I'm on none of the platforms.

Keep in mind that this is an accidental fix due to a suboptimal naming choice by the website author.

A better solution would be to disable third-party cookies in your browser settings.

Sending the do not track request generally increases the ability to fingerprint you, as adversaries tend to ignore its purpose anyway.

So, interestingly, it had me logged in to reddit, but I don't actually have a reddit account at all. Thoughts?

Same here actually. I haven't logged into my reddit account in like two years now. Also don't have any cookies from reddit so I dunno. The site does show me logged out of everything else so I think it's either broken or something else.

Why not go to reddit.com and see who it says you're logged in as?

Nothing, because I literally don't have an account.

Tracking like this does not work when you use Firefox with Containers :) See https://wiki.mozilla.org/Security/Contextual_Identity_Projec...

Quick fix: embed favicon in data-uri ;)

<meta rel=icon>!

Hmm weird, it correctly detected everything except for the false negatives of PayPal, Tumblr, and Spotify. Taking a look at the mechanism I have no idea why this would happen, and opening the relevant links in my browser gives the favicon as it should. Weird.

So I logged out of facebook and tried this tool again. Apparently it still shows that I am logged into facebook.

I tried opening different facebook pages and it detects that I am logged out but the tool still thinks I am logged in.

Any guesses why?

Maybe you could add this leak to your list as well: https://news.ycombinator.com/item?id=12695451

All it told me is that I'm a nerd ... So it was beaten by my wife and kids.

"You are logged in to: Github, Hacker News"

Interestingly, I have a legitimate use for the hack behind this idea.

Using Brave Browser it gets wrong Reddit and Flickr for me. I'm not even logged on these.

On the other side, it doesn't detect Facebook. Only got Twitter right.

I would be interesting to keep track of how common each particular fingerprint is. It could potentially be used to identify an individual user.

what is happening is not legal in the US and a large porn website was sued for doing it. they were printing hidden links on the page, then checking the color with JS to see if you had visited the destination url or not. judge didn't think it was a fair business practice. maybe these companies are not fixing this because of this legal precedent and figured no one was doing it?

Works mostly! I'm logged into HN of course; it says I'm not. Also Steam.

It got Facebook, Gmail, Youtube, Dropbox right.

Using default browser IE 11 on Win7

Haha, I like how you added just one porn tube site so that you can add NSFW in the title. Nice click baiting. lol

Hmm. This works in Firefox 49, but gets it quite wrong in Google Chrome 53. I'm on Linux Mint 17.2 64 bit.

Who the hell makes accounts on porn sites?

>You are logged in to:

>No platform

>(or you're using something like Privacy Badger)

I'm using uMatrix and uBlock Origin :)

That's a fun website to look at through Gorhill's uMatrix plugin.

or ContentBlockHelper

Interesting Instagram moved the favicon image but Facebook has not

Doesn't seem to detect being logged in to Netflix.

Or at least not for me.

for me, it throws several false alerts (Twitter, Flickr and few others). Is it possible that it's caused by my browser extensions (uBlock Origin, Disconnect)?

Google is basically omniscient on a user-profile basis with years of search, gmail, and youtube data on users. They should just write and algorithm and let it send out job offers with no human intervention, just like search.

Good news! It's blocked by uBlock Origin and noscript.

Hm. Doesn't seem to work on Chrome on Android.

Nothing shows up in my Epic Privacy Browser ;-D!!

What would be a possible fix to this problem ?

Nice work!

Nice, so now by using this I have an NSFW site logged in my workplace's DNS log. Be careful if your employer checks such things.

Made the same mistake. "Maybe NSFW" isn't really clear – "makes a request to YouPorn" is probably more fitting.

Yeah, I thought "Well I only log on to corporate email and HN on this computer, so it's not going to drag up anything scandalous."

Our IT department LOVES complaining about users using the network inappropriately, so I can look forward to a discussion with HR about this. I guess I should have checked the comments first.

If your workplace is creating any trouble for you because of a few unique hits to NSFW websites, better reevaluate where you work.

Without the constant social pressure to mark content, this 'Few unique hits' would become a pattern of behavior.

The system is working. Let it do its job.

If you had done your job instead of reading HN, there would be no problem!

100+ days old account, love it!

On the other hand, let's keep the novelty accounts to reddit (even there they are annoying though).

well, the name is fitting indeed

The one time I don't check the comments before reading the story...

Sorry, didn't think about that. Added a hint in the title.

huh. I didn't think of that.. that's kinda harsh.

Yep I also clicked first. It might need an "NSFW" tag in the title to warn other users. (Let's see how long it takes for Corporate IT to come yell at us)

I get blocking it but I have to wonder about departments run like that. Do they really have nothing better to do?

It's the "see and be seen" method of working.

Nobody knows you exist because everything is working? Better go yell at somebody.

Everybody thinks you aren't working because something is broken? Better go yell at somebody.

Well, on the bright side I'll be able to see if our IT guy actually logs this stuff.

It'll be fun explaining it.

DNS prefetch makes those logs fairly useless - fortunately or unfortunately depending.

Share the link with your colleagues for extra fun.

Use a VPN like the rest of the savvy slackers.

Yes. If you do anything remotely personal on a work computer, use a VPN or some other type of encrypted tunnel (an SSH SOCKS tunnel + FoxyProxy makes a good poor man's VPN, and can usually be configured to allow seamless integration with internal resources going over the LAN and external going over the tunnel).

I'm more likely to get in trouble for creating a VPN than I would be for accidentally sending a DNS request to YouPorn. Our IT department is insane about data security, and running traffic through another VPN will cause them to drop everything to harass you for as long as it takes you to prove that you weren't leaking sensitive information.

Sounds like you need to just browse on your phone, then. And if that's not an option, you should probably just not browse at work.

Very simple and cool exploit. I wouldn't be surprised if this technique is already in use on various ad platforms. A really simple pitfall I think most of us can confess to having done in the past (redirect attributes are pretty common in the wild).

Is this a spoof? it is 100% WRONG for me on Vivaldi browser.

Says im logged to FB and nothing more. I dont even have a bookface account, but I do have gmail/YT/github/reddit and few other open in the adjacent tabs and fully logged in.

> without your consent

Untrue. I have given my consent. Why are these privacy posts always using some kind of nefarious and negative language?

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact