10-15-2016, 05:54 PM
Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you're signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.
Demonstration:
https://robinlinus.github.io/socialmedia-leak/
Bypass the Same Origin Policy:
How does this URL help us? The Same Origin Policy prevents to read the results of this request from any other domain but https://facebook.com...
Well, the SOP is strict for HTML pages, but it allows to receive images from other origins! So if the resource in the next parameter would be an image we could read it from our website. It can't be any image though. Facebook checks if the URL in the next parameter starts with https://facebook.com. So we need to find an image on facebook.com. Should be easy, right? Actually it isn't, because facebook hosts almost all images on their CDN servers under the domain fbcdn.net. Though there is one image that you can find on almost every webserver: the good old favicon.ico!
This is how our login URL looks like with the favicon as next parameter:
https://www.facebook.com/login.php?next=...avicon.ico
It has a very interesting property:
Logged in: returns the favicon image
Logged out: returns the HTML of the login page
We can use this URL in an <img> tag in our website:
<img src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
This <img> tag's property:
Logged in: receives the favicon image, will load it successfully, and the onLoad callback will be fired.
Logged out: receives the HTML of the login screen, will fail to load it as an image, and the onError callback will be fired.
This leads to the final exploit:
<img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
please add an option "disable favicon"
Demonstration:
https://robinlinus.github.io/socialmedia-leak/
Bypass the Same Origin Policy:
How does this URL help us? The Same Origin Policy prevents to read the results of this request from any other domain but https://facebook.com...
Well, the SOP is strict for HTML pages, but it allows to receive images from other origins! So if the resource in the next parameter would be an image we could read it from our website. It can't be any image though. Facebook checks if the URL in the next parameter starts with https://facebook.com. So we need to find an image on facebook.com. Should be easy, right? Actually it isn't, because facebook hosts almost all images on their CDN servers under the domain fbcdn.net. Though there is one image that you can find on almost every webserver: the good old favicon.ico!
This is how our login URL looks like with the favicon as next parameter:
https://www.facebook.com/login.php?next=...avicon.ico
It has a very interesting property:
Logged in: returns the favicon image
Logged out: returns the HTML of the login page
We can use this URL in an <img> tag in our website:
<img src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
This <img> tag's property:
Logged in: receives the favicon image, will load it successfully, and the onLoad callback will be fired.
Logged out: receives the HTML of the login screen, will fail to load it as an image, and the onError callback will be fired.
This leads to the final exploit:
<img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
please add an option "disable favicon"