Websites Can See If You Are Logged Into A Social Networking Site
Can websites find out if you are logged into Facebook, Twitter or Google+? That's what Tom Anthony wanted to find out. If third party websites could, it could be used for different purposes, from user tracking to optimizing the websites services for the networks the user is logged in.
Facebook for instance provides an API for that that developers can use to find out if users who are connecting to their website are currently logged into the social networking site.
For Twitter and Google+, Tom had to find a different way that was cross-browser compatible as the service's Apis - or non existent API in the case of Google+ - did not allow to check a user's log in status directly.
The idea again was very simple: Request a file on those sites that require the user to be logged in to view it. A basic example of a similar principle would be a link to the upload a file page on those networks. Users who request to open these pages see a login prompt first, before they see the actual page they requested.
If you just want to see if the script can detect whether you are logged into Google+, Facebook or Twitter, visit the status detector page here.
The script works in all popular browsers, in particular Firefox, Chrome, Internet Explorer 7 and up, Safari and Opera.
The script that Tom posted is merely a tool, that can be used for legit purposes, for instance to only display social buttons for sites the user is logged in, or illegitimate purposes that breach a user's privacy or target the user in malicious ways.
Users can protect themselves from being analyzed in this way by either logging out of the services when they leave the sites, or by installing browser extensions that block third party look-ups by default.Advertisement
The status detector page could not sea that I was using Facebook and Google, so main Mozilla Firefox add-on phishing protection, is doing there/his work properly.
By the way how to do this I have learned on Ghacks.net.
Out of curiosity, Martin, since I presume that is your screenshot,
is NoScript which I know you use not preventing being seen
or have you allowed Google and GooglePlus?
I allowed the connections, that’s why it is showing it. It would have otherwise blocked the connections.
Thanks. I thought that was probably the case.
Google is not able to evade everything just yet.
And, even though we set our settings in privacy mode, it is easy to crack our informations, right?
Websites like netfix pay to sites like FB and get the users personal info and without accessing the permission from the users.