Recognised that URL immediately, and (after first changing to newtwitter which I hate), reloading the page did indeed switch me back to oldtwitter.
Edit: Because of the change in URLs between the old and new versions of Twitter, I can only find one alternative to the us_phx option (a fairly obvious one):
http://twitter.com/settings/account
Returns 302 if not logged in, and if logged in then 200 regardless of if your account is set to use new or old twitter.
302 wont work. It simply redirects to the destination page, and then the onload would be triggered. What you need to find is something which generates an error code, ie 4xx/500. When logged in, this generates a 406, because I set "format" to something invalid:
This is why I use "Request Policy" on Firefox. It prevents by default all kinds of cross-domain requests like these.
It's a bit painful to set up at first for all sites that you visit frequently (similar to setting up NoScript), but then you can enjoy a much more lightweight browsing experience - and a more secure one as well.
I almost wish attacks like this could be used to trim down all the options provided by uber-social sites that offer me the option to twitter/like/stumbleupon/reddit/digg/etc... every single page.
This could actually be useful to a UI designer in a non-evil way. Normally we have a list of services that you could authenticate with. If we knew that someone was logged into a less-common social network we could show that button instead of a more-common one they weren't logged into.
Doesn't expose any "real" private info( eg: passwords ). If the intent of the piece was to get users to turn off Javascript and secure themselves, the possibilities laid out are not forceful enough to achieve that objective, imo.
The intent of the piece was to tell people about a neat trick I'd discovered. Nothing more.
Which sites you log into, is private information.
The Firefox addon "Request Policy" does protect from this attack, but it's not the most user friendly way to browse the web. I've been trying it out myself the past couple of days. Fine for geeks, but not fine for the average user.
You said "Which sites you log into" but mean "Which sites you maintain a persistent log in on" which are two very different things.
The post you responded to is correct in that the title is somewhat incendiary compared to the reality, unless there is some possible hijacking or scraping vector from this, but that seems massively unrealistic.
Yeah, lots of people go to this amount of trouble. Hell, why feel bad for people injured in car crashes? That's what five-point restraints and helmets are for.
Iit's only the Facebook, Twitter and Digg attacks that don't work in MSIE and Opera. The GMail attacks works in all of them. The reason the "script" based attacks don't work in Opera and IE is because they don't fire the onload/onerror events if the returned content isn't valid JS.
Strange. It's still working fine for me. Said I wasn't logged in, so I logged in and checked and work, and I logged out again and checked and it worked. I wonder if you're using a proxy that is interfering somehow? I'm assuming it's not an addon as you said it's the same in both Chrome and Firefox?
I'm sure this isn't what you're thinking, but just to double check... You don't think that you're logged out of twitter just because it's not open anymore do you? If you log in, and then close the tab without logging out, then you're still logged in...
I know I wasn't logged in because I don't even have a twitter account :). But, your assumption that this may be a proxy issue is almost certainly right, since I accessed the page from my work computer. I tried it now from my home computer and everything checks out - it doesn't show that I'm logged in anywhere except where I actually am.
For the Twitter test, the HTTP response code is an error code if you're logged in. So if your work place blocks Twitter and returns an error code like 403 or something, then you will appear to be logged in.
The test could easily be modified so it checks some other url first to make sure twitter isn't generally blocked.
The intention of the article was to describe a general technique, rather than to provide some complete fully functional tests. Although they do work for the vast majority of people.
Not in any of the examples provided. The article describes a general technique for attacking sites. There are lots of variations of the attacks that work against lots of different sites. Two variations are provided as examples which cover 4 particularly well known sites.
Edit: Because of the change in URLs between the old and new versions of Twitter, I can only find one alternative to the us_phx option (a fairly obvious one):
Returns 302 if not logged in, and if logged in then 200 regardless of if your account is set to use new or old twitter.