Paid Advertising
web application security lab

Detecting States of Authentication With Protected Images

Jeremiah Grossman and I got to talking today and he reminded me of an old conversation we had had months ago around a way to detect the state of a user who is authenticated on a site. At the time it felt very academic and I didn’t really feel like following through with it, but certain events have made me realize this is slightly more prevalent than either of us had originally thought. You can use files on sites to detect the state of a user.

The sample code is simple enough:

<IMG SRC="" onerror="alert('not authenticated')">

Let’s assume you have an image that’s inside the members directory as seen above. If the user is authenticated they can see the photo, if not, they can’t and are redirected to a page where they must authenticate. If that’s the case you can automatically detect if the user is logged in. The same holds true if the image changes to say something like “Hello, Bob!” once the user logs in. You can detect the size and use that to verify that the user is logged in.

You can take it further by looking for scripts that are hidden behind protected directories. Admittedly I’ve never seen anything like that, except in basic auth situations but I’m sure there are examples out there. But here’s where the story ends. Neither Jeremiah or I could think of anything off the tops of our heads that would allow this technique to be more prevalent. Ideas?

3 Responses to “Detecting States of Authentication With Protected Images”

  1. maluc Says:

    a neat idea, but would caching send a false positive? of people with accounts but who aren’t currently logged in.

    on a side note, i don’t think it’s possible but is there any way to tell the difference (from JS, maybe flash) in filesize of an image or even a page the client pulled. The situation being that requesting will redirect you to /login.php with a different filesize. Or when viewing an image, it returns a 302 image like: instead of a 404 to generate the onerror.

    hopefully it’s not possible, even from flash

  2. RSnake Says:

    I don’t know of a way that that’s possible. I’ve looked into a number of ways to detect the size of something inside of an iframe to no avail. (I was actually looking at it for whitehat purposes if you can believe that).

    I don’t think caching would matter unless the server told the client to cache it in a weird way. Generally the client will still request the image but will see it hasn’t changed and as a result it will not pull it again. But in this case it will have changed. I don’t know for sure though, caching is voodoo and dependent completely upon how the browser/caching proxy etc… wants to do it.

  3. erich Says:

    I was searching for a while for a method to detect, if someone is logged in on a certain site. Besides the idea you describe, there is another “classic” one: side channel attacks.

    You include an image-Tag on a site with the SRC attribute set to a page, only logged in members can see. Others will be redirected to the login page or similar. Then you set an ONERROR-handler with the IMG-tag. It will be fired every time the page you try to load is ready. If you repeat this some times and remember the time the page needed to be loaded, then you can guess with some precision, if the user is logged in to this page (short answer time) or not (long answer time, due to redirect or bigger login-page).

    You can read it here, unfortunately is it written in German.