Mike Cardwell blogs:
When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg.and sure enough, the page will say "Yes, you are logged in" or "No, you are not logged in" at the appropriate places. Eerie. What's going on here?
As Cardwell explains, whenever you send an HTTP request to a server, you get back a response code. That response code might say things like "Your request was OK, here's the data you asked for," or "Sorry, I don't have what you're looking for," or "Goodness, I seem to be having some sort of problem here." or any of a number of other things. So far, so good.
Modern browsers can keep track of whether you're logged in to particular sites, so you don't have to keep logging in. Fair enough. If you're logged in and you ask for something on a site, you'll get it (assuming you have the proper permissions, etc.). If not, you'll typically get an error.
HTML allows you to reference other web sites within your document -- that's pretty much what makes the web webby -- and modern browsers allow you to behave one way or another depending on what happens when you try to fetch something (it doesn't even have to be based on a status code -- pretty much any reliably observable difference in behavior will do).
Put it all together, and
- any web site
- can use a reference to another site
- to tell if you're logged in to that site
In Chrome, at least, if you open an incognito window to visit Cardwell's site, it can no longer tell whether you're logged in, because incognito windows don't share any state with other browser windows. But that's kind of throwing out the baby with the bathwater. You can also turn off JavaScript support (or only selectively turn it on), but that has its own problems.
To really solve the problem you have to be able to control what state is shared between, for example, different tabs or windows. Doing that simply and non-intrusively is easier said than done.
On the other hand, as a couple of commenters point out, such tricks have been around for a while. Whether anyone's exploiting them in a significant way is another matter. Before a site can find out if you're logged in, it has to get you to visit it, not that there aren't plenty of sneaky ways to do that, and then it just knows whether you're logged in or not to sites it knows how to check for (each site requires its own custom-tailored check). And then, if all you log into is, say, GMail and Twitter, then all your adversary can find out -- from this particular particular, at least -- is that (yawn) you use GMail and Twitter.
Worth losing sleep over? Probably not. Worth keeping in mind? Definitely.
Cardwell's site looks to have a lot of other fun and useful information on it as well ... and if you stop by for a visit, your browser will most likely tell his server I sent you.
