Detect Which Social Networking Sites Website Visitors Are Logged Into
Clever hack.
Comments
Scott G. Lewis • March 1, 2012 7:44 AM
Just remember, Google doesn’t care about your third party cookie settings – they find ways to circumvent your privacy settings.
Clive Robinson • March 1, 2012 7:55 AM
Speaking of Google, I presume most are aware that their new “privacy policy” is considered illegal in Europe even before it starts…
And now this is “known” there may be a case for arguing that using the methods this exploit uses are now technicaly illegal as well 😉
KTC • March 1, 2012 7:58 AM
I have ShareMeNot add-on with Firefox, so it doesn’t work. 🙂
Natanael L • March 1, 2012 8:08 AM
… and then you XSS them and abuse this list:
http://hubze.com/2012/02/what-not-to-tweet-dhs-media-monitoring-terms/
MikeC • March 1, 2012 8:59 AM
Doesn’t work on my GS2 phone’s browser, even though I got the link from Twitter. Surprising, actually.
old news • March 1, 2012 10:01 AM
A year ago I read of a method to detect which social media a user had an account with. This was combined with only showing those icons on a web site.
boog • March 1, 2012 10:22 AM
I thought this seemed familiar:
http://www.schneier.com/blog/archives/2011/02/hacking_http_st.html
Different article, but same idea. If I recall, there was a bit of skepticism over whether or not detecting a person’s login status constitutes an “attack”.
Things get interesting when you consider that, while the article seems to only mention social media, this kind of attack isn’t actually limited to social media. How many web-based applications do people use at work?
Arclight • March 1, 2012 11:38 AM
A good way around these invasive sites is to sandbox your browsers. Sandboxie is a good program for this – it allows you to have separate containers in which you run browsers, chat clients, etc and all file system modifications stay inside the sandbox. You can also empty the sandbox periodically. Check out:
Arclight
jammit • March 1, 2012 4:34 PM
Firefox and ShareMeNot installed. No problems here.
Peter E Retep • March 1, 2012 10:15 PM
Sandboxie:
(what a great page to spoof!)
😉
ShadowRunner • March 2, 2012 12:17 AM
Actually it is a very old hack and it was first described in Jeremiah Grossman book about XSS attacks in 2007 or so 🙂
It is a good idea to sandbox all the authenticated application. Thus using gmail/twitter/facebook in one sandbox and general browsing in another.
Jan Doggen • March 2, 2012 1:12 AM
@clive:
“Speaking of Google, I presume most are aware that their new “privacy policy” is considered illegal in Europe even before it starts”
Can you back this up? I haven’t heard any illegality accusations here in the Netherlands, adn we have quite strict privacy laws.
Harry • March 2, 2012 4:17 AM
and a million other hits for “google privacy illegal europe”
Clive Robinson • March 2, 2012 5:12 AM
@ Jan,
Can you back this up? I haven’t heard any illegality accusations here in the Netherlands
As Harry idirectly indicates above you can use a search service, better still if you have a vague sense of the rediculous google it…
But in the UK on the likes of the BBC and Sky News related outlets it’s been on radio and television.
One such is the British Broadcasting Corp,
http://www.bbc.co.uk/news/business-17192234
But to further increase the surreal feeling, BBC Radio 4 (which you can get in the Netherlands or online) has a five minute slot in the morning called “Thought for The Day”. This morning it was an Arch Bishop who’s theme was “Google is watching you” comparing it with the old “God is watching you” style threat to get you to behave lest you get eternal damnation (it nearly caused me to drown as I was in the bath when it came on and due to laughing so much I sliped and went under the surface).
But he opened it with a comment that he had heard an interview with a Google representative describing the convoluted and contorted opt out procedure, and he opined that it was “Kaffkeresque”.
So there you have it even a senior “silver haired surfing” man of God calling into question the “Choclate Factory” for potentialy being the fourth brass monkey (the three usuall ones being see,hear,speak no evil with their hands positioned appropriatly on eyes,ears and mouth, which is why the fourth “do no evil” is rarely shown as in gripping “it’s privates” it might offend those of a more delicate set of sensibilities 😉
It just says:
“If you want to prevent sites from being able to detect this then for Firefox you can try RequestPolicy or NoScript.”
Well, it seems I was a step ahead of it.
I don’t ask people if they use FB or any of that stuff because I’m afraid if I do they’ll actually expect me to look at it.
Subscribe to comments on this entry
Leave a comment
← FBI Special Agent and Counterterrorism Expert Criticizes the TSA State Department Redacts Wikileaks Cables →
Sidebar photo of Bruce Schneier by Joe MacInnis.
Tomasz Wegrzanowski • March 1, 2012 7:25 AM
It doesn’t seem to detect correctly in Chrome. Is it because I have 3rd party cookies turned off?
3rd party cookies sound like a horrible idea in any case, and it would be a good default to disable them – 99% of their use cases are extremely questionable, unlike NoScript where the reverse is true.