Several popular sites like Facebook, Google, Gmail, Youtube, Instagram, Amazon, etc allow anyone to detect if users are logged into their website. This method can be used to understand user behaviour, profile users, phishing and de-anonymisation.
Here is a list of popular websites scanned on this page.
Simply put it uses the redirect mechanism provided by almost all the popular websites
An img tag in this case:
<img onload="alert('logged in to gmail')" onerror="alert('not logged in to gmail')" src="https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.google.com%2Ffavicon.ico&uilel=3&hl=en&service=mail">
Just view the source of this page to figure out how this works :-)
The above <img> tag also loads if a user is logged in to the website. Most websites have a favicon and this is much easier to use.
- User information on this demo is not stored or saved and is just a technology demonstrator.
- Using appropriate browser isolation (multiple browser profiles), privacy badger, plugin or incognito modes will stop this from happening. You can also disable third party cookies.
- Please view the source of this page to learn more about how this works.
- Using this technique, competitors can analyse what competing services are used by an existing user or a visitor. It can also be used to target marketing tailored to the services used by the user.
- This method has been around for a while and awareness of this could help force websites from leaking logged in status. The fix for this is pretty straightforward for websites to implement.
Webdigi is a web development agency in London. We specialise in developing bespoke web applications & unique web platforms. Over the years we have helped clients build great web applications. From time to time we publish open source tools, projects and demos like this to raise awareness and contribute back to the open source community that we rely on so much!