1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Check if User is Logged Into ANY Site - Facebook, Google Plus, Gmail, StumbleUpon, etc

Discussion in 'Black Hat SEO' started by crazyflx, Mar 28, 2013.

  1. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    EDIT: If before/during/after reading this thread, you have the thought "wow, this is old", please see here:
    My reply to somebody who already said that on this thread

    I've been away from BHW for a very long time, and seeing as this will be my first post since "being back", I wanted to make it a good one...a really good one. So here it is:

    I'm Going to Show You How You Can Tell if a User is Logged Into Virtually Any Site

    Before going any further and providing the demo URL, I want to note a few things:


    • This only works in FireFox, Chrome & Opera - it works in Safari, but requires separate configuration for some sites - IT DOES NOT WORK IN IE AT ALL
    • It makes use of browser behavior that should NOT be eliminated by programmers of FF, Chrome or Opera...now or really even in the future. It uses "standard" behavior, nothing out of the ordinary...it just does it in a clever fashion
    • I have not tested it in any browsers other than FireFox, Chrome, Opera & Safari (I knew it wouldn't work in IE, didn't bother trying)
    • In the demo, if you're not logged into a personal gmail account, it will assume you do not have a google plus account
    • In the demo, it will check each account sequentially, one after the other, not all of them simultaneously
    • The demo URL below will show your login status for the following sites: BHW, Amazon, Facebook, Reddit, Gmail (personal), Google Plus, Twitter, StumbleUpon & Flattr

    Demo/Example URL: http://crazyflx.com/logcheck/logintest.html
    All Source Files Can be Downloaded Here: http://crazyflx.com/logcheck/
    (virustotal not included since they are literally just text files)

    How does it work?

    In a nutshell (more detail, for those interested, is included below), it works by using JavaScript to request two different URLs on each target site. It calculates the amount of time it takes for each of the two URLs to load. If URL 1 takes longer than URL 2 to load, then you're logged in. If URL 2 takes longer than URL 1 to load, than you are not logged in. To make this example clearer, let me give a quick explanation, using facebook as an example:



    If you ARE logged into facebook, and you attempt to browse to URL 1, you will be redirected to URL 2. In addition, if you ARE logged into facebook and you attempt to browse directly to URL 2, the page just loads as it should.

    If you are NOT logged into facebook, and you attempt to browse to URL 1, the page just loads as it should. In addition, if you are NOT logged into facebook and you attempt to browse directly to URL 2, you will be redirected to URL 1.

    So in scenario 1 (logged in), loading URL 1 will take longer to load than URL 2...because URL 1 has to redirect you to another location. The additional amount of time it takes is VERY small, but it's there...and is measured in milliseconds.

    Now for More Detail

    A couple questions you might have right now, if you're a little more knowledgeable about the use of JavaScript than most, might be:


    • How can you request an external URL using JavaScript? "Same origin policy" prevents any requests to external URLs that are not on the same domain as the domain running the script.
    • What if there is just a bit of "server lag" from the target server when requesting the second URL...server lag that wasn't present for URL 1...therefore causing it to take longer to load than the first URL even though it shouldn't.

    To get around the pesky issue of "same origin policy", the script makes use of what most browsers (aside from IE) allow for...that being:

    Code:
    <script src="http://SomeRemoteURL.com/NotJavaScript/"></script>
    You CAN load an external URL using JavaScript by simply "saying" that it is javascript file...and it works even if the remote URL is not javascript or even text...it can be anything. Then, in addition to that, we add an "onload" event that "fires" when the remote URL has finished loading. That looks like this:

    Code:
    <script src="http://SomeRemoteURL.com/NotJavaScript/" onload="DoSomething();"></script>
    Then we "start" a timer immediately before requesting the remote URL, and then the "onload" event "stops" that same timer, giving us the number of milliseconds it took to load that remote page.

    Now, browsers DO have "onload" AND "onerror" capabilities, but the problem with that is that the "onerror" only triggers on "hard" errors (like a 404 for example) and even then the target server has to be configured a certain way (this is being very, very vague, but this isn't a JS lesson). The "onerror" event is NOT triggered by a 301 or 302 redirect. This is not to mention that it is damn near impossible to find URLs that return a 404 error when logged in/not logged in. So essentially, we're using a timer to determine the status code of the URL...in a roundabout way, as.it's impossible to get the actual response code.

    That answers the first question...now let's move on to the second one....about the issue of a remote URL taking a different amount of time to load even the same URL twice.

    To get around this, we perform the same test (requesting those two URLs on the target site), a repeated number of times. In the demo I linked to above, it requests those two URLs on the target site 6 times each and records the time difference between the two each time. If out of those 6 tests, 4 or more return as "true", then you are logged in. Otherwise, you're logged out.

    You can perform the tests a fewer number of times, however the fewer times the tests are performed, the less accurate it is. 3 tests is a nice happy medium, and if 2 of the 3 times it returns as "True", then you're logged in. Using those settings I found that it was pretty reliable. In the demo, as I have it set now, it's almost 100% every time, and if it's "wrong" it only returns that you're NOT logged in, not that you are...so no harm no foul.


    What Sites Will This Work On?

    That's probably my favorite part about it...it will work on virtually any site that has an area that is for "Members only". Since we're not relying on an actual "error", but rather are simply relying on finding pages that behave DIFFERENTLY based on your login status, it opens it up to working on virtually any site. Since almost every site that has a members area have pages that behave differently based on your login status.


    Feel free to ask questions, post comments, make suggestions.

    ENJOY!!!
     
    • Thanks Thanks x 11
    Last edited: Mar 29, 2013
  2. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    As a matter of convenience, I've gone ahead and added some very detailed commenting to the javascript file to make it easier to understand.

    I've also gone ahead and packaged the html & javascript file and have attached it here. Even though it is just two text files (one html & one javascript), since I'm actually uploading something here, I've also VirusTotal'd the package:

    Download: View attachment logcheck.rar

    VirusTotal: https://www.virustotal.com/en/file/...5f811d2b052b8b84d1182569/analysis/1364491907/
     
  3. ComputerEngineer

    ComputerEngineer Senior Member

    Joined:
    Apr 25, 2012
    Messages:
    833
    Likes Received:
    70
    yes this is also being used for finding exploits or sql injection

    but when you find they are logged in or not, how are you planning to use that info ?
     
  4. vickygarg

    vickygarg Power Member

    Joined:
    Jan 25, 2010
    Messages:
    646
    Likes Received:
    531
    Nice to see you back :)
     
  5. meathead1234

    meathead1234 Moderator Staff Member Moderator Premium Member

    Joined:
    Sep 24, 2008
    Messages:
    3,816
    Likes Received:
    13,934
    Welcome back, Rob!
     
  6. dbyrn

    dbyrn Power Member

    Joined:
    Feb 20, 2010
    Messages:
    746
    Likes Received:
    224
    Occupation:
    helping people
    Crazyflx still in good shape :).
    Nice one, however I'm still thinking how to use this kind of information. All things that come to my mind are really really black.
    One thing suprises me - is IE not.capable of loading js from remote server or I've missed something?
    D.
     
  7. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    More on that shortly, but there are a lot of things. Targeted clickjacking, highly targeted landing pages, grabbing the attention of a visitor by displaying a message telling them you know they are logged in at X place, and so on. Get creative ;)


    Thanks, it's nice to be back! Thanks for the welcome back too :)

    Thanks man! Happy to be back! Nice to see you!

    Haha, thanks, and yes, I'm still in good shape.

    The uses for this, as far as I'm concerned, are all pretty "blackhat" so to speak. Varying degrees of it, but all pretty blackhat. I'll have more on usage soon ;)

    IE IS capable of loading remote JS, that's not a problem. It's the use of the "onload" tag within the script tag that isn't supported...which means we can't accurately measure external URL pageload times...which is what this script is dependent upon.
     
  8. mrblackjack

    mrblackjack Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 6, 2011
    Messages:
    960
    Likes Received:
    552
    Occupation:
    I live alone, I work alone, I make money alone
    Location:
    G00gle LaNd
    this trick is pretty damn old, it was first published, I think, back in 2006 at Jeremiah Grossman blog here:
    http://jeremiahgrossman.blogspot.co.il/2006/12/i-know-if-youre-logged-in-anywhere.html

    Besides,
    U can make this method supports IE as well if u use it with onload() and onerror() JS-built functions. Moreover, you can check against a Google Plus account and a Gmail account separately since not everyone who has a Gmail account, has a Google plus account too.

    Besides, using onload() and onerror() will make your script faster than the current.

    You need to find a url of an image that returns a 302 onerror() and a 200 onload(). then, if a user is logged in when trying to visit this image, server will return 200 onload; otherwise, it will return 302 moved.

    It supports IE too - and the method is basically manipulating the HTTP response status.

    You can find more details and elaborations here:
    https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
    http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/

    I must say though that finding whether a user is logged in or not is very useful in Clickjacking campaigns
     
  9. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    I'm offended that you're saying "this trick is pretty damn old". Querying external URLs and measuring their load times to determine login status, is not only not old, but it's brand new.

    You obviously didn't even read my thread, so let me clarify.

    This doesn't even work, and isn't even remotely close to what I've described. In fact, none of the methods you've linked to are even close to what I've described, nor do any of them work on every site my example does, or are even close to as compatible on ANY site as my example is.

    Onload and onerror don't work with <script> tags in internet explorer. In addition, my example does test gmail & gplus separately. If you have a gmail account, it then checks to see if you ALSO have a gplus account. If you do not have a gmail account, it just skips checking for a gplus account. None of the examples you've linked to do that (not that that is relevant, since they aren't doing the same thing my script is doing anyway). The reason they haven't done it on any of those URLs, is because they can't...not using the method they are employing anyway.


    Yes, it would also involve it not working at all...which I guess is faster. Go ahead and try to find an image that errors when not logged in and doesn't error when you are logged in for every site in my example/demo URL....spoiler alert: you won't...not to mention if you do try looking, you'll waste HOURS of time and get absolutely nowhere.

    Not to mention that you also won't find any such image for almost any site that has a "members area" as you will using the method I've gone over here.


    • Image method = very very specific compatibility.
    • My method = compatible with almost ANY site that has a members area.


    Those methods don't rely on manipulating the HTTP status code. They rely on on receiving a response of "onerror" or "onload" (which don't work at all within a script tag in IE). The thing is, onerror is only triggered (within a script tag) when there is a "Hard Error" like a 404. It is NOT triggered on things like a 301 or 302 redirect. There are MANY types of HTTP status codes, however the onerror only is triggered for a few of them. Since there is no way to actually receive the error code itself, this limits the usability of the examples you've linked to immediately, because you need to find URLs that send back a very specific HTTP response.

    My method just relies on finding two URLs that behave differently and measuring load time.

    Using the onload or onerror tags within an image (which does work in IE), as already mentioned, means a HUGE problem, since you WILL NOT find any such images for all of the sites I've gone over in my example.

    onload & onerror tags also do not work at all with <script> tags in internet explorer.
     
    Last edited: Mar 28, 2013
  10. seoactive

    seoactive Regular Member

    Joined:
    Nov 15, 2012
    Messages:
    409
    Likes Received:
    21
    SUPER amazing script! Thanked!

    Will this script works on any other sites, other than the 6-7 you listed ( Facebook, Reddit, Gmail (personal), Google Plus, Twitter, StumbleUpon & Flattr)?
    EDIT: I see that you said


    How can we add more sites then? For example, what if I want to add linkedin? Thanks a million
     
  11. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    Thanks a lot, I appreciate the compliments :)

    Yes, it will work on other sites. Just have a look at the included JS file and you'll see how it works for the existing sites.

    To get it to work for new sites, you simple need to find two URLs that match the following characteristics:

    URL 1 - Needs to take longer to load than URL 2 when you're logged into the account
    URL 2 - Needs to take longer to load than URL 1 when you're logged out of an account

    I'll be uploading/adding a small script that will allow you to easily test & determine these qualities for any site, as I see that this might be kind of confusing.
     
    • Thanks Thanks x 1
  12. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    amazon.com login detection added.
     
    • Thanks Thanks x 1
  13. seoactive

    seoactive Regular Member

    Joined:
    Nov 15, 2012
    Messages:
    409
    Likes Received:
    21
    I know you are very busy but I am still very interested in knowing if there is an easy way to add new sites etc. Please keep us updated! This is seriously some amazing stuff!
     
  14. meannn

    meannn Supreme Member

    Joined:
    Apr 22, 2009
    Messages:
    1,461
    Likes Received:
    1,896
    Occupation:
    Unemployed Winner
    Location:
    TR
    Demos and file links are broken.