Social Network Login Status Detector Demo

Tom Anthony (@TomAnthonySEO) created this interesting demonstration of how a website you visit can easily detect which social networks you are actively logged into.  This isn’t a horrible security issue, but it is something that you should be aware of if you care about having some third party “see” which social networks you are using.

In a nutshell, what the technology does is to request that an image be loaded from Facebook, or Google, or whatever.  If the load is successful, then you are logged in to that site.  If the load fails, then you weren’t logged in and the server has redirected you to the login page instead of serving up the image.

This isn’t really a “fixable” exploit.  The obvious way to fix this would be for the servers of all the social network “targets” to always serve up image requests regardless whether you are logged in or not.  Clearly, that won’t work as then it would be easy to hack their image stores from an anonymous account.  As far as I can see, the only way to “fix” this would be for servers to only redirect to a login page for non-image requests, and just serve up a broken image icon of some type to mask the image when the user isn’t logged in.  Of course, the image being served up would have to masquerade as the image requested so the browser would find it difficult to detect.  Also, making such changes to servers requires that somebody on that end actually cares about this privacy issue.

I did come up with an interesting “white hat” use for this technology though… If you put it on your company intranet page, assuming employees need to be on there a lot while working, you can detect and log employees that are logged into social networking.  If you have (or think you have) content blocks in place for social websites, this can be a tool to find out who is circumventing your blocks.