It's not very hard to do. The trick is to know a resource that only the user can access and then trigger an HTTP request to it.
For instance if you have website a and say the user profile "mitsuhiko" can only be edited when you are logged in as "mitsuhiko" on http://a.example.com/profile/edit/mitsuhiko you could use this code to see if the logged in user is "mitsuhiko":
Why does this work? Because onload is fired if the resource answers with 200 OK, not if it's a valid script. onerror is called for any other error code.
So if you know what you are probing for: easy.
// Edit: Yes, this is most likely not what Facebook is doing if that's their only method of security. However see my reply to the first comment here about the security aspect for a possible way to solve this problem.
Except something like this would be easily spoofable, ie. you could set your hosts file to make all a.example.com links return HTTP 200's, or open firebug to call user_is_logged_in() and you could reset passwords without any email.
Also, for something like that you should use <img> instead so it's less of an XSS risk.
> Except something like this would be easily spoofable, ie. you could set your hosts file to make all a.example.com links return HTTP 200's, or open firebug to call user_is_logged_in() and you could reset passwords without any email.
Yes. But depending on how gmail works it could me made reliable and secure. For instance if you can share images with gmail users you could generate a unique image for that user, do the same thing with an <img> tag, access the image data with JavaScript, send it back to the server and compare if the contents are the one you shared.
I do not have a gmail account so I don't know if this is possible, it it seems like it would be possible for Google+ from briefly looking at it.
I deleted my other question about how FB can know that the image is not a fake. My finger hit the wrong button ;) I'll answer here. Your idea can be done, but I don't see the advantage it would have over other methods.
The service would need to send out the Cross Origin Resource Sharing headers in order for the image to be accessible via <canvas> and the service also needs a means for the querying server to test if a certain image is indeed the one associated with the user.
And if it was an image generated by Facebook, then Facebook must have access to the account beforehand, and there's no benefit to using this system over OAuth.
> The service would need to send out the Cross Origin Resource Sharing headers in order for the image to be accessible via <canvas> and the service also needs a means for the querying server to test if a certain image is indeed the one associated with the user.
Only facebook knows the image it generated. Since that image is only shared with that one mail address you won't be able to spoof it unless you control that mail address.
That's not a secure method. Because it's browser based it can be faked with a proxy or simply modifying the local hostname file and map the domain to a server you control.
For instance if you have website a and say the user profile "mitsuhiko" can only be edited when you are logged in as "mitsuhiko" on http://a.example.com/profile/edit/mitsuhiko you could use this code to see if the logged in user is "mitsuhiko":
Why does this work? Because onload is fired if the resource answers with 200 OK, not if it's a valid script. onerror is called for any other error code.So if you know what you are probing for: easy.
// Edit: Yes, this is most likely not what Facebook is doing if that's their only method of security. However see my reply to the first comment here about the security aspect for a possible way to solve this problem.