How Safe is Gmail, Twitter and Facebook? Is HTTPS Safe? We Show You How It Isn’t
By on January 27th, 2011

Hey, isn’t HTTPS the most safe and secure way to access a website? Not exactly, here is where we show how people can use a simple method to crack , and .

hacked

So you think you can’t be hacked? Well, think again, you can be hacked using a simple image and JavaScript on a secure HTTPS. Before I go ahead on this, watch a video below created by our author Amit Banerjee which shows you how vulnerable you are on the Internet.

As you can see from the above video, it is very easy for anyone to know when you are logged into Gmail, Twitter and Facebook without having to place any suspicious code on your PC. All you need to do is visit a website to check whether or not you are logged in on these sites. Your information can be tracked, no matter whether it uses HTTPS or not and whether you visit the website or not.

This is basically very scary because this is a cross-platform hack and is done through a image which is hosted by these services. Though, I do know that on how this is done, I don’t have any solutions to negate this problem right now,  but I am really trying to figure out one. Till then there is nothing you can do about it. Fun right?

I have reached out to Gmail, Facebook and Twitter about this and am awaiting a response. Will update this post once I get one. Till then, you are not safe on the internet.

The hack basically uses the HTTP status code to find out whether you are logged in or not into these services. Since these images are hosted on Gmail, Twitter and Facebook a user basically has to log in to view them, so it becomes easy to figure out when you are logged in or not. If you are curious to see this in action, visit this page.

For more information, check out Hack A Day on how HTTP Status codes can be abused.

(Video and most of the reporting done by Amit Banerjee)

Tags: , ,
Author: Keith Dsouza Google Profile for Keith Dsouza
I am the editor-in-chief and owner of Techie Buzz. I love coding and have contributed to several open source projects in the past. You can know more about me and my projects by visiting my Personal Website. I am also a social networking enthusiast and can be found active on twitter, you can follow Keith on twitter @keithdsouza. You can click on my name to visit my Google+ profile.

Keith Dsouza has written and can be contacted at keith@techie-buzz.com.
  • http://www.webguide4u.com Vivek Parmar

    May be at some point we are safe but could not admit that we aree totally safe as many pretty smart guys working around to stole our information and we only safe by regularly changing our password??

  • http://blog.ashfame.com Ashfame

    Hey Keith,

    What’s the harm if can someone can actually track we are logged in or not? He can’t do anything more than that.
    Is there any security issue I am overlooking?

  • http://www.gadgetcage.com Siddartha @ GadgetCage

    Scary, that they were able to track our sessions!

    Thanks for sharing.

    and I will be waiting for the solution as well.

    Thanks a lot keith!

  • Venkatesh

    One probable solution is to – not send different status codes for the different cases (i.e. instead of browser redirect or failure, they should start doing redirect on server side).

 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN