Detect Which Social Networking Sites Website Visitors Are Logged Into

Clever hack.

Posted on March 1, 2012 at 6:39 AM • 17 Comments

Comments

Tomasz WegrzanowskiMarch 1, 2012 7:25 AM

It doesn't seem to detect correctly in Chrome. Is it because I have 3rd party cookies turned off?

3rd party cookies sound like a horrible idea in any case, and it would be a good default to disable them - 99% of their use cases are extremely questionable, unlike NoScript where the reverse is true.

Clive RobinsonMarch 1, 2012 7:55 AM

Speaking of Google, I presume most are aware that their new "privacy policy" is considered illegal in Europe even before it starts...

And now this is "known" there may be a case for arguing that using the methods this exploit uses are now technicaly illegal as well ;-)

MikeCMarch 1, 2012 8:59 AM

Doesn't work on my GS2 phone's browser, even though I got the link from Twitter. Surprising, actually.

old newsMarch 1, 2012 10:01 AM

A year ago I read of a method to detect which social media a user had an account with. This was combined with only showing those icons on a web site.

boogMarch 1, 2012 10:22 AM

I thought this seemed familiar:
http://www.schneier.com/blog/archives/2011/02/...

Different article, but same idea. If I recall, there was a bit of skepticism over whether or not detecting a person's login status constitutes an "attack".

Things get interesting when you consider that, while the article seems to only mention social media, this kind of attack isn't actually limited to social media. How many web-based applications do people use at work?

ArclightMarch 1, 2012 11:38 AM

A good way around these invasive sites is to sandbox your browsers. Sandboxie is a good program for this - it allows you to have separate containers in which you run browsers, chat clients, etc and all file system modifications stay inside the sandbox. You can also empty the sandbox periodically. Check out:

http://www.sandboxie.com/

Arclight

ShadowRunnerMarch 2, 2012 12:17 AM

Actually it is a very old hack and it was first described in Jeremiah Grossman book about XSS attacks in 2007 or so :)
It is a good idea to sandbox all the authenticated application. Thus using gmail/twitter/facebook in one sandbox and general browsing in another.

Jan DoggenMarch 2, 2012 1:12 AM

@clive:
"Speaking of Google, I presume most are aware that their new "privacy policy" is considered illegal in Europe even before it starts"

Can you back this up? I haven't heard any illegality accusations here in the Netherlands, adn we have quite strict privacy laws.

Clive RobinsonMarch 2, 2012 5:12 AM

@ Jan,

Can you back this up? I haven't heard any illegality accusations here in the Netherlands

As Harry idirectly indicates above you can use a search service, better still if you have a vague sense of the rediculous google it...

But in the UK on the likes of the BBC and Sky News related outlets it's been on radio and television.

One such is the British Broadcasting Corp,

http://www.bbc.co.uk/news/business-17192234

But to further increase the surreal feeling, BBC Radio 4 (which you can get in the Netherlands or online) has a five minute slot in the morning called "Thought for The Day". This morning it was an Arch Bishop who's theme was "Google is watching you" comparing it with the old "God is watching you" style threat to get you to behave lest you get eternal damnation (it nearly caused me to drown as I was in the bath when it came on and due to laughing so much I sliped and went under the surface).

But he opened it with a comment that he had heard an interview with a Google representative describing the convoluted and contorted opt out procedure, and he opined that it was "Kaffkeresque".

So there you have it even a senior "silver haired surfing" man of God calling into question the "Choclate Factory" for potentialy being the fourth brass monkey (the three usuall ones being see,hear,speak no evil with their hands positioned appropriatly on eyes,ears and mouth, which is why the fourth "do no evil" is rarely shown as in gripping "it's privates" it might offend those of a more delicate set of sensibilities ;-)

MeMarch 2, 2012 9:17 AM

It just says:
"If you want to prevent sites from being able to detect this then for Firefox you can try RequestPolicy or NoScript."

Well, it seems I was a step ahead of it.

meMarch 7, 2012 6:16 AM

I don't ask people if they use FB or any of that stuff because I'm afraid if I do they'll actually expect me to look at it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..