Social Media Login Detection

This is a demo of image-based cross-origin login detection for most major social networks. A fork of socialmedia-leak with some enchantments.

JavaScript Disabled

Browser Security Test

Third-Party Cookies
! Allowed — You can be vulnerable to this attack. Not Allowed — You are not vulnerable to this attack.
Tracking Protection
Found — You may have protected against some templates of this attack.! Not found — You are not protected against this attack.

You are logged in to:

You are not logged in to:

Explanation

The demo shows the one of the oldest methods (with some new look) to detect if the visitor are logged into Facebook, Twitter, Google, etc.

We request the image (to bypass Same Origin Policy) thats be available only if the user is logged in. For this, we attach the onload event which will occurs if the image has been successfully loaded, and the onerror event if the loading is failed (or if we got invalid image with wrong MIME type), and so we find out whether the user is logged in or not.

But how to apply it to the major websites such as Facebook and Twitter?

Socialmedia-leak described recently that almost all of them have typical «redirect on login» mechanisms, and it can be used to to redirect to the image. Another feature is that in most cases the redirected URL must be in same origin, and this can be a problem because the major websites uses CDN to store almost all of their image files.

All but favicon.ico:

  1. <img
  2. onload="alert('Logged in to Twitter')"
  3. onerror="alert('Not logged in to Twitter')"
  4. src="https://twitter.com/login?redirect_after_login=/favicon.ico"
  5. />

Full description of how it works you can find on the original Robin Linus socialmedia-leak project page:

Protection

The threat is well known for a long time, back in previous decade. But as the hardering crosss-origin resource sharing to disallow images and blocking third-party cookies by default is looks unreal for normal users, it won't fix. Major websites also does not consider it as a significant security risk. At the moment, only geeks oriented resources has fixed it quickly.

What you can do to protect yourself:

  1. Disable Third-Party Cookies. It solves the problem, but obviously can cause some inconvenience at casual web browsing.
  2. Use Tracking Protection. There is built-in solutions like Firefox Tracking Protection, as well as some special filters lists that you can use with any ABP-based add-ons, uBlock Origin with Fanboy's Enhanced Tracking List works well.

Leave a Comment