Show HN: Your Social Media Fingerprint (maybe NSFW)

This is why I use &#x27;browser isolation&#x27;, which is a way to separate different types of surfing activity into different buckets. Currently the best way to do this in Firefox is to create multiple profiles, or in Chrome, you can simply add a different user&#x2F;persona.<p>Having one profile, or even an entire dedicated browser just for Twitter&#x2F;FB ensures the login is not spilled over into other sites. If you&#x27;re surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.<p>It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the &#x27;profiles&#x27; feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.

FYI, it&#x27;s <i>very</i> NSFW in the back-end. Your browser is sending requests to obvious porn servers when you hit this link so it can test if you&#x27;re logged in to them.

The firefox and tor devs are cooperating to upstream a tor browser feature that isolates cookie stores and similar things based on the domain shown in the URL bar[0]. Available in nightly by enabling privacy.firstparty.isolate = true in about:config.<p>Additionally they&#x27;re also also working on a more customizable version of that called contextual identities[1], which eventually will also be manageable by extensions[2]<p>And of course addons that block cookies in cross-origin requests or cross origin requests in general such as µmatrix[3] also plug this hole.<p>[0] <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1260931" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1260931</a><p>[1] <a href="https:&#x2F;&#x2F;blog.mozilla.org&#x2F;tanvi&#x2F;2016&#x2F;06&#x2F;16&#x2F;contextual-identities-on-the-web&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.mozilla.org&#x2F;tanvi&#x2F;2016&#x2F;06&#x2F;16&#x2F;contextual-identit...</a><p>[2] <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1302697" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1302697</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uMatrix" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uMatrix</a>

In Chrome: Settings &gt; Privacy &gt; Content Settings &gt; Tick &#x27;Block third-party cookies and site data&#x27;<p>Also set &#x27;Send a &quot;Do Not Track&quot; request with your browsing traffic&#x27;<p>And install uBlock Origin, ofc.

TIL YouPorn is considered social media

So, loading favicon.ico via a redirect-type parameter:<p><pre><code> &lt;img onload=&quot;alert(&#x27;logged in to fb&#x27;)&quot; onerror=&quot;alert(&#x27;not logged in to fb&#x27;)&quot; src=&quot;https:&#x2F;&#x2F;www.facebook.com&#x2F;login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico&quot;&gt;</code></pre>

Shouldn&#x27;t a browser <i>not</i> send cookies when the request comes from a different domain? That would seem like the most sensible solution to me. Unless somebody can show a caveat of course.

Very good demonstration thank you.<p>Some interesting (an unethical) potential marketing opportunities here. For example, at the bottom of articles only show share actions for social platforms they are logged into.

Apparently. I am not logged into anything. I tried it on Opera (along with the internal ad blocker) and I&#x27;m not using Privacy Badger.

Using uBlock Origin and Privacy Badger defaults, it only showed me as logged into Hacker News.

Scary. Netflix is showing logged out though, whereas I&#x27;m actually still logged in.

Pretty compelling information. Two observations: 1) No LinkedIn. Are they on top of the problem? 2) I had fun results with the Epic Privacy Browser.

Blocking third-party cookies gives you full protection in this and other situations without any major annoyances.<p>Other subcomments here mention it, but every time this comes up it seems most people (including the article) aren&#x27;t aware that blocking 3rd party cookies is a super easy fix and IMHO should be the default of browsers.<p>I&#x27;ve only ever had issues with this at my banking site because they use a third party to host their solution (Work around is opening the iframe). But I am now going to ask them to fix this (I guess all it requires is a sudomain pointing to the third party?).<p>Please help spread the message and ask trouble web sites to fix their shit or if I&#x27;m completely wrong, educate me and let&#x27;s move things forward.

This is the first I had heard of GETs to login pages executing a redirect when the user is already logged in. I wasn&#x27;t aware that so many did this.<p>Virtually every application I have built will render a simple response saying &quot;You are already logged in&quot; if you GET the login URL with an active session. As I understand the exploit, if a non-image is returned, the script assumes you are not logged in.<p>What value is there in redirecting a GET if you&#x27;re already logged in? You redirect when the login form is submitted as a POST.

Can someone explain how this is NSFW? Is it because it&#x27;s scraping for logins which looks suspicious?

Attaching cookies to third-party requests is the source of many issues. In a similar demonstration [0], I showed that browser-based timing attacks (which can probably be considered as wont-fix as well) can be used to extract more specific information from social networks (e.g. one&#x27;s political preference based on who they&#x27;re following).<p>[0]: <a href="https:&#x2F;&#x2F;labs.tom.vg&#x2F;browser-based-timing-attacks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;labs.tom.vg&#x2F;browser-based-timing-attacks&#x2F;</a>

I don&#x27;t know if anyone will read this at this point, but if you&#x27;re going to proof-of-concept an exploit, please make that clear in the title or have an opt-in step with an explanation of what it will do like the EFF uses on <a href="https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;</a><p>I do not appreciate being tricked into running your exploit proof of concept, especially when you put content in it that I otherwise would not have clicked.

Nifty, with Firefox containers each one shows the &quot;mode&quot; I&#x27;m in. Hackernews for default container, personal has my Google world + open source + Dropbox, work has my work&#x27;s Gmail world, and shopping has my Amazon account. It&#x27;s like a verification that containers work!

How does this work?<p>I think I get the basic concept of calling redirects to various sites from the page, probably back-end like with php, CURL maybe?<p>I just don&#x27;t get how you&#x27;d keep track of where it goes after the redirect (trying a link) since you would now be on Facebook&#x27;s site for example

Keep in mind that it doesn&#x27;t show up the icons at all if you&#x27;re using a content blocker and activated Fanboy’s Annoyance List.<p>This is because the critical resource is named &quot;&#x2F;socialmedia-leak&#x2F;socialmedia-leak.js&quot;.

So, did I just make all those sites that I&#x27;m not logged in to aware of my IP address? And if I didn&#x27;t have ad blocking, would I then be seeing ads &quot;of interest to&quot; people who visit those sites?

Well its good to see its partly wrong for me. It shows HN correctly, but also shows me logged in to Facebook and Tumblr, not correct. And not logged in to gmail, which I am. Still, its a dangerous flaw.

Can&#x27;t get this to work. Turned off ublock origin, but still using https everywhere and blocking third-party cookies (for a recently discovered attack that utilizes cookies).

It says I&#x27;m not logged into any of its sites. Chrome on Android 6. No special privacy measures. I am logged into a few sites in the browser, including this one.

Couldn&#x27;t this be fixed by instead of using ?next= in the query string storing a cookie.<p>For example:<p><pre><code> if(!auth) { setCookie(&#x27;next&#x27;, &#x27;&#x2F;url-here&#x27;, 1h); } redirect(login); </code></pre> Login page action:<p><pre><code> if(cookieExists(&#x27;next&#x27;)) { next = getCookie(&#x27;next&#x27;); deleteCookie(&#x27;next&#x27;); redirect(next); } else { redirect(&#x27;dashboard&#x27;); }</code></pre>

This &#x27;fingerprint&#x27; changes as you login in and log out of various services, so it&#x27;s not very reliable for uniquely identifying users. Regardless, it could still be used to profile you and then target content accordingly. For example, if you&#x27;re logged into Hacker News, you&#x27;re probably a programmer and you&#x27;re probably more interested in an ad for web hosting than wedding dresses and visa versa for Pinterest.

Recorded the network requests (from incognito) for fun with BugReplay, (the webapp I&#x27;ve been building for a bit over a year) here: <a href="https:&#x2F;&#x2F;app.bugreplay.com&#x2F;shared&#x2F;report&#x2F;acf38fbd-f2e1-41c7-9b23-4031d9317d2b" rel="nofollow">https:&#x2F;&#x2F;app.bugreplay.com&#x2F;shared&#x2F;report&#x2F;acf38fbd-f2e1-41c7-9...</a>

Not sure how much false positives this will cause, but its fixed in the Enhanced Tracking list.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;ryanbr&#x2F;fanboy-adblock&#x2F;commit&#x2F;2385fb0b2b2803db4424ab9eda64370123eef81e" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ryanbr&#x2F;fanboy-adblock&#x2F;commit&#x2F;2385fb0b2b28...</a>

I have uBlock Origin in 3rd party deny mode and privacy badger and it still detects me as logged in to HN, Reddit, Slack and Stack Overflow.<p>EDIT: Following diegorbaquero&#x27;s advice[0] solved it<p>0: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12692485" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12692485</a>

So, interestingly, it had me logged in to reddit, but I don&#x27;t actually have a reddit account at all. Thoughts?

Tracking like this does not work when you use Firefox with Containers :) See <a href="https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;Security&#x2F;Contextual_Identity_Project&#x2F;Containers" rel="nofollow">https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;Security&#x2F;Contextual_Identity_Projec...</a>

Quick fix: embed favicon in data-uri ;)

Hmm weird, it correctly detected everything except for the false negatives of PayPal, Tumblr, and Spotify. Taking a look at the mechanism I have no idea why this would happen, and opening the relevant links in my browser gives the favicon as it should. Weird.

So I logged out of facebook and tried this tool again. Apparently it still shows that I am logged into facebook.<p>I tried opening different facebook pages and it detects that I am logged out but the tool still thinks I am logged in.<p>Any guesses why?

Maybe you could add this leak to your list as well: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12695451" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12695451</a>

All it told me is that I&#x27;m a nerd ... So it was beaten by my wife and kids.<p>&quot;You are logged in to: Github, Hacker News&quot;<p>Interestingly, I have a legitimate use for the hack behind this idea.

Using Brave Browser it gets wrong Reddit and Flickr for me. I&#x27;m not even logged on these.<p>On the other side, it doesn&#x27;t detect Facebook. Only got Twitter right.

I would be interesting to keep track of how common each particular fingerprint is. It could potentially be used to identify an individual user.

what is happening is not legal in the US and a large porn website was sued for doing it. they were printing hidden links on the page, then checking the color with JS to see if you had visited the destination url or not. judge didn&#x27;t think it was a fair business practice. maybe these companies are not fixing this because of this legal precedent and figured no one was doing it?

Works mostly! I&#x27;m logged into HN of course; it says I&#x27;m not. Also Steam.<p>It got Facebook, Gmail, Youtube, Dropbox right.<p>Using default browser IE 11 on Win7

Haha, I like how you added just one porn tube site so that you can add NSFW in the title. Nice click baiting. lol

Hmm. This works in Firefox 49, but gets it quite wrong in Google Chrome 53. I&#x27;m on Linux Mint 17.2 64 bit.

Who the hell makes accounts on porn sites?

&gt;You are logged in to:<p>&gt;No platform<p>&gt;(or you&#x27;re using something like Privacy Badger)<p>I&#x27;m using uMatrix and uBlock Origin :)

That&#x27;s a fun website to look at through Gorhill&#x27;s uMatrix plugin.

Interesting Instagram moved the favicon image but Facebook has not

Doesn&#x27;t seem to detect being logged in to Netflix.<p>Or at least not for me.

for me, it throws several false alerts (Twitter, Flickr and few others). Is it possible that it&#x27;s caused by my browser extensions (uBlock Origin, Disconnect)?

Google is basically omniscient on a user-profile basis with years of search, gmail, and youtube data on users. They should just write and algorithm and let it send out job offers with no human intervention, just like search.

Good news! It&#x27;s blocked by uBlock Origin and noscript.

Hm. Doesn&#x27;t seem to work on Chrome on Android.

Nothing shows up in my Epic Privacy Browser ;-D!!

What would be a possible fix to this problem ?

Nice work!

Nice, so now by using this I have an NSFW site logged in my workplace&#x27;s DNS log. Be careful if your employer checks such things.

Very simple and cool exploit. I wouldn&#x27;t be surprised if this technique is already in use on various ad platforms. A really simple pitfall I think most of us can confess to having done in the past (redirect attributes are pretty common in the wild).

Is this a spoof? it is 100% WRONG for me on Vivaldi browser.<p>Says im logged to FB and nothing more. I dont even have a bookface account, but I do have gmail&#x2F;YT&#x2F;github&#x2F;reddit and few other open in the adjacent tabs and fully logged in.

&gt; without your consent<p>Untrue. I have given my consent. Why are these privacy posts <i>always</i> using some kind of nefarious and negative language?