Are You Logged-into Google?
Date : 2008 03 07 Category : Tech & Development ProgrammableWebAre you logged into Google right now? That’s the question JavaScript guru Kent Brewster set-out to see if he could answer in another one of his eye-opening series of how-to-tell investigations. Earlier we looked at Kent’s hack of NetFlix JavaScript (he’s also done Twitter and Facebook). This time it’s a Google service, as you can see in his post How to Tell if a User is Logged In to Google.
As the post describes, “what we’re looking for is an URL on the target domain that returns live JavaScript that is different depending on the user’s login status.” That opens the door to this tidbit of information. And it works: if you visit his page the message below is what you’ll see if it detects your Google status:
The small source code snippet used highlights some of the risks in client-side JavaScript. Risks that mashups have the potential to inadvertently cause or exacerbate. In general, his series of tests lead to two key pieces of advice for site developers:
Don’t return live JavaScript that changes depending on the user’s login status. Any URL can be included as a SCRIPT tag, valid JavaScript or not. Test everything! If the browser throws a different error depending on the user’s login status, you’re giving away information.One other useful bit of developer advice from the post is that “Tamper Data is your very best friend.” It’s a Mozilla extension that lets you: view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests, and security test web applications.