How to Tell if a User is Logged In to Netflix

Even wonder if the sites you log into on a regular basis might inadvertently let any of that information leak? If you want to see a very real, interactive example of just how prevalent this might be, just check-out JavaScript guru Kent Brewster's series on "How to Tell if a User is Logged In to X", where "X" is one of the leading online services millions of us use every day. Last week the "X" was Facebook and today "X" is Netflix. Because the examples are live and work with you and your own account they get your attention.

If you go to today's example, "How to Tell if a User is Logged In to Netflix", just like a magician, when the page loads it says "Checking your Netflix login status" and a few seconds later tells you whether or not you're also currently logged into Netflix. Which is of course probably not what you'd like to see since how should a script at be aware of your Netflix status. In his blog Kent goes into detail about how this bit of magic is achieved. His explanation and demo even account for the anticipated behavior once the bug is fixed. Very interesting to see and although just knowing if you are logged in is not as serious as having your purchase history or credit card, it's an effective way to see firsthand how vulnerable we are. Good security advice for any site owner.

javscript sample

And in case you missed it, the series kicked-off last week with "How to Tell if a User is Logged In to Facebook". With basically the same sort of very clever techniques Kent could tell if you were logged-into Facebook. Certainly effective enough that within a few days after that eye opening example was posted Facebook patched the hole.

JavaScript expert Douglas Crockford calls the language and just this sort of vulnerability 'the mashup problem' since "mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem."

What leaky service will Kent dig into next remains to be seen but if you think you might have one of these gaps in your site you might want to contact Kent soon.

Be sure to read the next Security article: Microsoft's SSL for Secure Map Mashups


Comments (3)

[...] one to determine if someone is logged into Google (similar to his post on how to tell if someone is logged into Netflix). Unfortunately, when I followed the link, it seems that the post is no longer there (redirected [...]

[...] 你现在登录到Google了吗?JavaScript 大师Kent Brewster提出的这个问题来自于其一系列让人大开眼界的How-to-tell研究。早些时候我们看到Kent的文章 hack of NetFlix JavaScript (他已经搞定了 Twitter 和 Facebook)。这次轮到了Google的头上,让我们来看看他的文章How to Tell if a User is Logged In to Google。 [...]