This is a demo of image-based cross-origin login detection for most major social networks. A fork of socialmedia-leak with some enchantments.
Browser Security Test
You are logged in to:
- ✔ Nothing Found
You are not logged in to:
The demo shows one of the oldest methods (with some new look) to detect if the visitor is logged into Facebook, Twitter, Google, etc.
We request the image (to bypass Same Origin Policy) that's available only if the user is logged in. For this, we attach the
onload event which will occur if the image has been successfully loaded, and the
onerror event if the loading is failed (or if we got an invalid image with wrong MIME type), and so we find out whether the user is logged in or not.
But how to apply it to major websites such as Facebook and Twitter?
Socialmedia-leak described recently that almost all of them have typical «redirect on login» mechanisms, and it can be used to to redirect to the image. Another feature is that in most cases the redirected URL must be in «same origin», and this can be a problem because the major websites use CDN to store almost all of their image files.
- onload="alert('Logged in to Twitter')"
- onerror="alert('Not logged in to Twitter')"
Full description of how it works you can find on the original Robin Linus socialmedia-leak project page:
The threat is well known for a long time, back in the previous decade. But as the hardering cross-origin resource sharing to disallow images and blocking third-party cookies by default is looks unreal for normal users, it won't fix. Major websites also do not consider it as a significant security risk. At the moment, only geeks oriented resources have fixed it quickly.
What you can do to protect yourself:
- Disable Third-Party Cookies. It solves the problem but obviously can cause some inconvenience at casual web browsing.
- Use Tracking Protection. There are built-in solutions like Firefox Tracking Protection, as well as some special filters lists that you can use with any ABP-based add-ons, uBlock Origin with Fanboy's Enhanced Tracking List works well.