Are you logged into Google right now? That’s the question JavaScript guru Kent Brewster set-out to see if he could answer in another one of his eye-opening series of how-to-tell investigations. Earlier we looked at Kent’s hack of NetFlix JavaScript (he’s also done Twitter and Facebook). This time it’s a Google service, as you can see in his post How to Tell if a User is Logged In to Google (Update: Kent has since decided to remove these live exploits, with an explanation here):

As the post describes, “what we’re looking for is an URL on the target domain that returns live JavaScript that is different depending on the user’s login status.” That opens the door to this tidbit of information. And it works: in his test the message below is what’s if it detects your Google status:

The small source code snippet used highlights some of the risks in client-side JavaScript. Risks that mashups have the potential to inadvertently cause or exacerbate. In general, his series of tests lead to two key pieces of advice for site developers:

• Don’t return live JavaScript that changes depending on the user’s login status.
• Any URL can be included as a SCRIPT tag, valid JavaScript or not. Test everything! If the browser throws a different error depending on the user’s login status, you’re giving away information.

One other useful bit of developer advice from the post is that “Tamper Data is your very best friend.” It’s a Mozilla extension that lets you: view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests, and security test web applications.

Share This

Link to the Source

If you liked this, You might also like:

1. Google Releases Contacts API
2. Right on the heels of Yahoo’s launch this morning of their new Fire Eagle API, Google has just released their...
3. Google’s New Maps API for Flash
4. Last week, Google announced the Google Maps API for Flash, the latest extension of their extremely popular Google Maps API....
5. Google Releases API for Book Search
6. [Editor’s note: Today’s post comes from Raymond Yee, who we are very happy to have joining us as a regular...
7. Google Releases Language Translation API
8. As of today, the powerful Google Translate service that lets you translate between 13 different languages and 29 language pairs...
9. Google Health API Released
10. Somewhat lost in the buzz of the announcement of Google Health, is the fact that Google’s also just launched the...
11. Live video in a 3D world is cool, and it’s not even Google
12. It sure looks like Google Earth, but it's not. A company called Sentinel, funded by the U.S. Defense Department, has...
13. Google Contacts
14. Contact list management Link to the Source...
15. Yahoo Beats Google with PDF Ad Service
16. Yahoo launched beta test of Ads for Adobe PDF - opened for publishers, offering placement and tracking of contextual ads...
17. Google AJAX Language
18. Text translation service Link to the Source...
19. How To Create Your Money-Making Custom Search Engine Powered By Google
20. AdSense for Search is now powered by Google Custom Search. Yesterday, Google officially announced the availability of AdSense for Search...