How to Tell if a User is Logged In to Netflix

Even wonder if the sites you log into on a regular basis might inadvertently let any of that information leak? If you want to see a very real, interactive example of just how prevalent this might be, just check-out JavaScript guru Kent Brewster's series on "How to Tell if a User is Logged In to X", where "X" is one of the leading online services millions of us use every day. Last week the "X" was Facebook and today "X" is Netflix. Because the examples are live and work with you and your own account they get your attention.

If you go to today's example, "How to Tell if a User is Logged In to Netflix", just like a magician, when the page loads it says "Checking your Netflix login status" and a few seconds later tells you whether or not you're also currently logged into Netflix. Which is of course probably not what you'd like to see since how should a script at be aware of your Netflix status. In his blog Kent goes into detail about how this bit of magic is achieved. His explanation and demo even account for the anticipated behavior once the bug is fixed. Very interesting to see and although just knowing if you are logged in is not as serious as having your purchase history or credit card, it's an effective way to see firsthand how vulnerable we are. Good security advice for any site owner.

javscript sample

And in case you missed it, the series kicked-off last week with "How to Tell if a User is Logged In to Facebook". With basically the same sort of very clever techniques Kent could tell if you were logged-into Facebook. Certainly effective enough that within a few days after that eye opening example was posted Facebook patched the hole.

JavaScript expert Douglas Crockford calls the language and just this sort of vulnerability 'the mashup problem' since "mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem."

What leaky service will Kent dig into next remains to be seen but if you think you might have one of these gaps in your site you might want to contact Kent soon.

Be sure to read the next Security article: Microsoft's SSL for Secure Map Mashups