Are You Logged-into Google?

Are you logged into Google right now? That's the question JavaScript guru Kent Brewster set-out to see if he could answer in another one of his eye-opening series of how-to-tell investigations. Earlier we looked at Kent's hack of NetFlix JavaScript (he's also done Twitter and Facebook). This time it's a Google service, as you can see in his post How to Tell if a User is Logged In to Google (Update: Kent has since decided to remove these live exploits, with an explanation here):

As the post describes, "what we're looking for is an URL on the target domain that returns live JavaScript that is different depending on the user's login status." That opens the door to this tidbit of information. And it works: in his test the message below is what's if it detects your Google status:

The small source code snippet used highlights some of the risks in client-side JavaScript. Risks that mashups have the potential to inadvertently cause or exacerbate. In general, his series of tests lead to two key pieces of advice for site developers:

  • Don't return live JavaScript that changes depending on the user's login status.
  • Any URL can be included as a SCRIPT tag, valid JavaScript or not. Test everything! If the browser throws a different error depending on the user's login status, you're giving away information.

One other useful bit of developer advice from the post is that "Tamper Data is your very best friend." It's a Mozilla extension that lets you: view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests, and security test web applications.

Be sure to read the next Security article: OAuth Coming to All Google Data APIs


Comments (2)

[...] Are You Logged-into Google? That’s the question JavaScript guru Kent Brewster set-out to see if he could answer in another one of his eye-opening (tags: 2008 mes2 dia8 at_home google javascript security blog_post) [...]

[...] Google and Javascript Security So I found this post on ProgrammableWeb titled “Are you logged into Google?” and figured I would take a look (John always has interesting posts).  Apparently Kent Brewster (’Javascript Guru’) had a post on a Javascript exploit that allows one to determine if someone is logged into Google (similar to his post on how to tell if someone is logged into Netflix). Unfortunately, when I followed the link, it seems that the post is no longer there (redirected instead to a general “Patching Privacy Leaks” post.  I wonder if the Big G has anything to do with the post no longer being available? [...]