Detecting States of Authentication With Protected Images
Jeremiah Grossman and I got to talking today and he reminded me of an old conversation we had had months ago around a way to detect the state of a user who is authenticated on a site. At the time it felt very academic and I didn’t really feel like following through with it, but certain events have made me realize this is slightly more prevalent than either of us had originally thought. You can use files on sites to detect the state of a user.
The sample code is simple enough:
<IMG SRC="http://somesite.com/members/protected.jpg" onerror="alert('not authenticated')">
Let’s assume you have an image that’s inside the members directory as seen above. If the user is authenticated they can see the photo, if not, they can’t and are redirected to a page where they must authenticate. If that’s the case you can automatically detect if the user is logged in. The same holds true if the image changes to say something like “Hello, Bob!” once the user logs in. You can detect the size and use that to verify that the user is logged in.
You can take it further by looking for scripts that are hidden behind protected directories. Admittedly I’ve never seen anything like that, except in basic auth situations but I’m sure there are examples out there. But here’s where the story ends. Neither Jeremiah or I could think of anything off the tops of our heads that would allow this technique to be more prevalent. Ideas?
November 9th, 2006 at 12:37 am
a neat idea, but would caching send a false positive? of people with accounts but who aren’t currently logged in.
on a side note, i don’t think it’s possible but is there any way to tell the difference (from JS, maybe flash) in filesize of an image or even a page the client pulled. The situation being that requesting site.com/members.php will redirect you to /login.php with a different filesize. Or when viewing an image, it returns a 302 image like: http://static.flickr.com/119/1_nonexistant.jpg instead of a 404 to generate the onerror.
hopefully it’s not possible, even from flash
November 9th, 2006 at 9:45 am
I don’t know of a way that that’s possible. I’ve looked into a number of ways to detect the size of something inside of an iframe to no avail. (I was actually looking at it for whitehat purposes if you can believe that).
I don’t think caching would matter unless the server told the client to cache it in a weird way. Generally the client will still request the image but will see it hasn’t changed and as a result it will not pull it again. But in this case it will have changed. I don’t know for sure though, caching is voodoo and dependent completely upon how the browser/caching proxy etc… wants to do it.