Social Media Login Detection

This is a demo of image-based cross-origin login detection for most major social networks. A fork of socialmedia-leak with some enchantments.

JavaScript Disabled

Browser Security Test

Third-Party Cookies
Tracking Protection

You are logged in to:

You are not logged in to:

Explanation

The demo shows one of the oldest methods (with some new look) to detect if the visitor is logged into Facebook, Twitter, Google, etc.

We request the image (to bypass Same Origin Policy) that's available only if the user is logged in. For this, we attach the onload event which will occur if the image has been successfully loaded, and the onerror event if the loading is failed (or if we got an invalid image with wrong MIME type), and so we find out whether the user is logged in or not.

But how to apply it to major websites such as Facebook and Twitter?

Socialmedia-leak described recently that almost all of them have typical «redirect on login» mechanisms, and it can be used to to redirect to the image. Another feature is that in most cases the redirected URL must be in «same origin», and this can be a problem because the major websites use CDN to store almost all of their image files.

All but favicon.ico:

  1. <img
  2. onload="alert('Logged in to Twitter')"
  3. onerror="alert('Not logged in to Twitter')"
  4. src="https://twitter.com/login?redirect_after_login=/favicon.ico"
  5. />

Full description of how it works you can find on the original Robin Linus socialmedia-leak project page:

Protection

The threat is well known for a long time, back in the previous decade. But as the hardering cross-origin resource sharing to disallow images and blocking third-party cookies by default is looks unreal for normal users, it won't fix. Major websites also do not consider it as a significant security risk. At the moment, only geeks oriented resources have fixed it quickly.

What you can do to protect yourself:

Leave a Comment (9)