If you go to today’s example, “How to Tell if a User is Logged In to Netflix”, just like a magician, when the page loads it says “Checking your Netflix login status” and a few seconds later tells you whether or not you’re also currently logged into Netflix. Which is of course probably not what you’d like to see since how should a script at kentbrewster.com be aware of your Netflix status. In his blog Kent goes into detail about how this bit of magic is achieved. His explanation and demo even account for the anticipated behavior once the bug is fixed. Very interesting to see and although just knowing if you are logged in is not as serious as having your purchase history or credit card, it’s an effective way to see firsthand how vulnerable we are. Good security advice for any site owner.
And in case you missed it, the series kicked-off last week with “How to Tell if a User is Logged In to Facebook”. With basically the same sort of very clever techniques Kent could tell if you were logged-into Facebook. Certainly effective enough that within a few days after that eye opening example was posted Facebook patched the hole.
What leaky service will Kent dig into next remains to be seen but if you think you might have one of these gaps in your site you might want to contact Kent soon.