favicon.ico and redirect links as a privacy leak


Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you’re signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.

The attack works by loading in a website’s redirect script, with its favicon (hosted on the same domain) set as the page to redirect to. When logged in, the redirect script will return the favicon. When not logged in, the redirect script will return the login page.

Knowing this you can set that URL as the source of an Image. That image’s onload/onerror will then give away if one is logged in or not:

<img src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico"
     onload="alert('logged in to fb')"
     onerror="alert('not logged in to fb')" />

Your Social Media Fingerprint →

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.