favicon.ico and redirect links as a privacy leak


Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you’re signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.

The attack works by loading in a website’s redirect script, with its favicon (hosted on the same domain) set as the page to redirect to. When logged in, the redirect script will return the favicon. When not logged in, the redirect script will return the login page.

Knowing this you can set that URL as the source of an Image. That image’s onload/onerror will then give away if one is logged in or not:

<img src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico"
     onload="alert('logged in to fb')"
     onerror="alert('not logged in to fb')" />

Your Social Media Fingerprint →

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.