A UK-based web developer has figured out a simple way to tell if visitors to his site are logged in to Gmail, Facebook, Twitter, Digg and thousands of other websites.
It doesn't work when visitors are using Internet Explorer or Opera.
The exploit works by identifying the HTTP status code that's returned when the visitor's browser encounters the link in Cardwell's script. A 200 code, indicating the request was successfully fulfilled, indicates the person isn't logged in, while 404, 500 and other error codes indicate the opposite.
“This can be an awkward problem to avoid if you're developing a website,” Cardwell writes here. “Some of these requests could be stopped by doing referrer checks; reject all external referrers for content only accessible when logged in.
Detecting whether a visitor is logged in to Gmail requires a different script that generates a hidden image stored in Cardwell's mail folder that's configured to be viewable to everyone. Cardwell said he reported his finding to Google and was told it was “expected behaviour.”
“You may not care that I can tell you're logged into GMail, but would you care if I could tell you're logged into one or more porn or warez sites?” Cardwell asks rhetorically. “Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?” ®