This is why I use 'browser isolation', which is a way to separate different types of surfing activity into different buckets. Currently the best way to do this in Firefox is to create multiple profiles, or in Chrome, you can simply add a different user/persona.
Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.
It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.
At risk of being depressing, it's worth knowing that a dedicated profiler can reconcile accounts across all of the protections you've mentioned - not just as a targeted attack, but algorithmically.
There are a lot of fingerprinting tricks which transcend cookie restrictions and user profiles. The battery percent/value one will reconcile all accounts on one device (as will several other like fonts). If you log into one bucket on multiple devices, it becomes possible to traverse devices and reconcile one-device profiles via the shared profile. If I were truly paranoid, I would only trust "separation" if it involved a clean account on a clean device on a clean network.
None of which is to say that you shouldn't do this! I do lots of privacy things which aren't bulletproof, and I think other people should also. Fighting common tracking structures is still progress, and tools like bucketing and Privacy Badger are great ways to do this.
It's just also worth noting that dedicated profiling will break all but the most pathological defensive measures.
What about virtualization? It seems to me that something like Qubes might not at present protect against this (I don't know what information is available to guest/isolated domains on that system), but could be made to? One can easily lie to a browser about battery status and fonts from the OS too, for example.
I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.
It's very difficult to prevent side channel thumbprints—something as simple as traceroutes, wifi hotspots, caches (DNS, routing) can be uniquely identifiable. Add on top of this biometrics like how you type, how you move your mouse, etc, and it becomes very difficult to avoid concerted tracking efforts.
Of course, if you're not pissing off state actors, you're probably fine with qubes/tails.
if you're not pissing off state actors, you're probably fine
Thank you, this seems to be a point that is often ignored. Most of us don't need to hide our trail from a full wing of CIA analysts, just drive-by snooping and the like. (It of course doesn't help the Snowdens of the world)
I usually prefer to think of the middle case: someone with a grudge against me, who would love to blackmail me if they could get the dirt, and who has money to hire some blackhats and buy some zero-days and set up spear-phishing—but who doesn't actually have any access to the things that states get by default by sending fancy letters with Important Signatures.
It's interesting to work through the case of an absurdly rich private actor, because it works out differently for diferent companies; for some, they can just get a "man on the inside" to leak out your data easily enough, while for others (e.g. Gmail) the employees themselves aren't trusted to access user data, and have been firewalled/ACLed away from it to prevent just such intrusions. State actors get pretty much the same "help" from every service (save for the rare Lavabits of the world) but corporate actors get a rather unpredictable response landscape.
Presuming you are being pursued by a state actor, isn't using a computer at a library or Internet cafe enough to thwart most of that? Especially if you're using asynchronous store-and-forward protocols like NNTP or Freenet, where you can be long-gone from wherever the computer you used was, before anyone else ever sees "your" activity.
I remember at least one security expert commenting that if he ran an actual attack, his precautions would be "sitting in a computer lab using a stolen library card". Physical anonymity is by far the best cure for some of these things.
Qubes VMs cannot get the battery state. Assuming that the user didn't install custom fonts, the font list should be the same across all the installs.
I think Qubes closes most of the low hanging fruit in this space, but completely preventing fingerprinting is very hard and there are probably ways to leak identifying info.
Indeed, you can take this a step further and assign each bucket its own VPN, with JS turned off to minimize fingerprintability. You can even setup multiple virtual machines with multiple screen resolutions on each to further divide up your sessions, making your surfing modified beyond recognition. It might take a weekend or two to wrap your head around VMs and VPNs, but it's worth it.
Also, if you're paranoid about your VPN provider spying on you, you can install HTTP nowhere: https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/ to further compartmentalize the risk of spying. DNS, however is tricky to obfuscate, so I would recommend surfing under broad and generic domains, like TWITTER.com and places like REDDIT.com which often scrape and proxy the content from other sites so you don't need to visit those sites explicitly.
Not necessarily. The amount of bits needed to fingerprint somebody is substantially lowered doing this, and although you stand out by taking extra steps like this, it's substantially better than a large portion of the configurations you do see.
Of course if your threat model is such that nation states are targeting you, either passively, or actively, then TOR is fitting in most cases, but TOR can prove to be overkill in most cases.
For example, if I'm surfing a website which blocks TOR, I can use a JonDoFox[1] profile to visit a website with a VPN, and achieve better-than-most anonymity for my needs, albeit not as rigorous as what TOR provides, but at least my connection has rudimentary protection from passive eavesdropping.
Keep in mind, VPNs are a countermeasure only and do not provide perfect privacy, but you can lessen the information gathered using the techniques I outlined. Surf under generic domains, and block traffic downloaded en clair
The problem is that even if the number of bits on the fingerprint shrink, you're also lowering the selection size.
It's a tradeoff, you can overdo it and certainly end up less anonymous than before.
A bigger fingerprint might make it easier to identify you but if there are more fingerprints, there might also be more fingerprints that are exactly the same, thus being drowned by the mass.
Be sure to use a common window size, though. If you pick a nice size with your mouse (as I always do), your window size is almost certainly unique when paired with just a few more bits of info.
This page didn't, because it only profiles third party cookies - that is, your browser explicitly admitting which sites you're logged into. Privacy Badger, Disconnect, or uBlock will all handle that, as will simply disabling the browser setting.
That was pretty much my point: this is a "nice" profile. One that targets unintentionally identifying image like browser window dimensions can easily track you despite all of those precautions.
What I really want is something like this and it opening containers automatically based on url sets.
So going to facebook would go to the facebook set automatically and isolate facebook. But I don't have to manually open the "facebook profile" to do the switch. Same with twitter, amazon, google*, youtube, apple, etc.
If you have multiple accounts, you can have the interface pop up a "choose your subcontainer" automatically with the new google container or whatever. All browsing in that container would then stay in that subcontainer until you close it.
Yeah, as long as it only activates that container based on typing in facebook or going to a bookmark, not just any random site hitting that URL. Which would then probably break following links to those sites - could you trigger it based on a normal navigation to that domain, but not based on some other site trying to fetch an image from it out of the blue?
For anyone wanting to do this, the profile and no-remote command line options[1] may be useful if you want to create shortcuts to launch specific profiles
You might also want to consider using a different theme[2] in each profile to help avoid mixing them up if your running multiple instances simultaneously.
My initial use case for this was adding the lets encrypt staging certificate authority to the trusted root certificate authorities in a profile only used for testing.
Slightly easier way is to use the Disconnect/Privacy Badger extensions, along with uBlock Origin. It does a lot to prevent cookies from leaking across sites.
If you're still worried, I'd take the time to learn and use uMatrix (https://github.com/gorhill/uMatrix) in addition to uBlock. For me, uMatrix has replaced Privacy Badger and other similar addons because they're no longer needed. It requires a bit more effort to maintain though.
Great advice. I use Chrome for Google, twitter, and Facebook, and another browser for everything else. This isn't quite as good as your approach, but gives me some web platforms isolation.
There in lies the problem, all those Facebook widgets on various 3rd party websites are used to track you. If you block FB's network ranges then it gets much harder for them to do that.
In effect you are "using" Facebook whether you want to or not; this is the issue some people have with shadow FB profiles.
Shouldn't disabling 3rd party cookies also prevent this kind of attack? The request for the facebook/twitter favicon is being made from a non-FB/TW page and so the login cookie won't be sent.
This would depend upon how the browser implements its 3rd party cookie blocking. If it only blocks setting cookies, but still allows existing cookies to be sent, then there would be no protection.
I've had a fantasy of not just using different browser profiles (effectively) for each site, but routing requests for each site through a different personally-run cloud-hosted proxy.
Someday maybe I'll get around to setting it up. Maybe.
Or you can enable basic privacy settings on about:config, NoScript, etc. I get "No platform" both on my phone and Desktop (though I don't have any social networks, I created a Facebook account to test).
Firefox Nightly has container tabs available right now and they are fantastic! Only thing missing is a shortcut / better way to open a different type of container tab.
Lately I've been using Opera Incognito with free builtin VPN for all general browsing and I highly recommend it. (I use Chrome to stay logged in to email).
FYI, it's very NSFW in the back-end. Your browser is sending requests to obvious porn servers when you hit this link so it can test if you're logged in to them.
This one actually works for me! The other said that I was using Privacy Badger since it couldn't detect anything. I'm not, but I am using uBlock Origin. This one is only wrong about a couple (it doesn't register, for example, that I am logged in to G+, Khan Academy, Steam, Amazon, PayPal, or Skype).
I actually had several of the extra filters enabled already, but only once I added "Fanboy's Enhanced Tracking List"[0] did uBlock Origin successfully block this technique. I'm not sure whether any of the other filters would accomplish the same result.
After enabling this filter, 0942v8653's version also failed.
Thanks for the SFW version. Nice to see that uMatrix is doing it's job quite well and as expected.
FWIW, Spotify doesn't seem to get recognized properly. I am definitely logged in and it should show up when all my browser protections are disabled. HN showed up when I disabled everything, but not Spoitfy.
Yeah, that would've been nice to know ahead of time. Why not, for example, trigger the test when someone clicks a button, rather than taking someone's page visit as permission to try lighting up their organization's content filter?
I think it helps in conveying the fact that it is a vulnerability not a feature.
So any website (even your own company's internal one) can check stuff like this. And you can't do anything about it. Other than always using private browsing for anything you don't want your company/anyone else to know about.
I mean, if somebody is logged into YouPorn from work, that's not a problem I expect the developer of a tool like this to solve. What I expect the developer of a tool like this to do is not create problems by just arbitrarily making HTTP requests to porn sites without a prompt or a chance to opt out. That's a dick move.
When I first read that it was making these requests here in the comments, my reaction was similar. But then upon reflection, I don't think there's a problem for the author here. Why? Because all I did was click the link. Meaning if I was behind a corporate firewall or the like, this sort of thing could be happening all the time and unless I was always tracing requests in my browser or via MITM or logging DNS, I'd have no way of knowing.
Personally I view this as a browser and/or protocol issue (the kind that has trickled down from the origins of the web) and really can't fault the author for it. In fact I think it's appropriate the author left these requests in as it reflects an actual attack scenario better perhaps.
The point I'm making is that it's not necessary to hit a porn site in order to get the point across, and there are HN users whose organizations observe and don't care for that kind of thing.
Then how can such organizations handle other people randomly putting references to porn sites on their websites? With today's Internet being what it is, you can't assume that a request to YouPorn means someone is browsing porn at work. For all you know, the request could have been sent by an ad.
Then again, businesses in general aren't exactly paragons of intelligence either, so I wouldn't be surprised if someone made a fuss about it...
I believe using private browsing wouldn't matter. The IP I'm browsing from is still going to try pinging all those porn servers, and that's what's getting logged in the filter, not my browser history.
In my second paragraph, I was actually talking about your company sending such requests to know what you are logged into. Doesn't matter if you're using it right now. If you're logged in from days before, your cookies will be there. In incognito they won't be.
What a surprising problem. If the boss mistakenly accuses you of watching porn - why not explain why they're wrong and show them the site? If they won't accept that, then it means you're in danger with any web surfing you do at work and should already not be clicking random links. It's not the site's fault, it's your company's fault and your own for not protecting yourself against breaking their rules.
Personally, the idea that there's a network my traffic flows over, where that traffic is sniffed such that its content could potentially result in things like me losing my job, is just debilitating to me.
If I worked for such a company, all my traffic would be flowing over a VPN, full-stop.
Pretty standard in any reasonably secure financial services org.
All direct Internet access is blocked and prohibited, with all attempts to access the Internet (tcp/80, tcp/443) transparently proxied via Bluecoat/Websense/Forcepoint/etc proxies, which filter based on URL categorisation. WSS generally doesn't work in this kind of environment. Everything else is dropped.
Any attempts to bypass filtering is a violation of IT policy and is sackable. Visiting sites that are blocked gets logged, doesn't generally get flagged up unless is a daily occurrence, and the first assumption is usually malware.
Source: Worked for several such companies, was responsible for perimeter security in some.
The firefox and tor devs are cooperating to upstream a tor browser feature that isolates cookie stores and similar things based on the domain shown in the URL bar[0]. Available in nightly by enabling privacy.firstparty.isolate = true in about:config.
Additionally they're also also working on a more customizable version of that called contextual identities[1], which eventually will also be manageable by extensions[2]
And of course addons that block cookies in cross-origin requests or cross origin requests in general such as µmatrix[3] also plug this hole.
As somebody who tried to build code respecting "Do Not Track" preferences, I have to say that feature, while well-intended, is a complete farce.
Chrome, Safari, Firefox, IE9, IE10, and IE11 all use different APIs for Do Not Track [1], so a front-end developer has to do a lot of extra leg work to check if the user has the preference set.
I find it highly unlikely that most companies would go through the effort of respecting Do Not Track.
The main behaviour is to add the DNT: 1 HTTP header. The JavaScript APIs are just a bonus to perhaps avoid sending unnecessary information. (But yes, it’s still a silly feature, because having to go out of your way at all to respect DNT isn’t really worth it.)
3rd party cookies should be disabled by default in all browsers. It significantly improves your privacy with minimal impact.
After many years of blocking 3rd party cookies the only thing that's broken for me is my bank's bill pay system, which is an iframe of a 3rd party service.
At a minimum, though, please block third-party cookies and site data.
I have pretty minimal customizations and plugins on browsers—very few plugins, no ad-blocking, no security or privacy enhancements.
I've had third-party cookies blocked for a long time now and there aren't any sites or logins that break down with them disabled (that I've encountered).
On the plus side, though, you don't have to worry about this crap. I'm logged into several of these sites and none of them show as leaked.
It was proposed that DNT be the default, but then ad companies said if that were the case, then they would just ignore the header. They want users to explicitly opt out of tracking otherwise they will assume they agree to being tracked.
Keep in mind, uBlock Origin does not block social media widgets by default, and you have to enable it in settings. Widgets like Facebook like buttons, and Tweet buttons have to be blocked manually.
Checking the box to block 3rd party cookies is great advice, but I would not tell my Mom or any other casual user to do it. Why? You wind up with a lot of very weird, hard-to-track down bugs in web pages. I've seen failures in OAUTH and SSO pages, buttons that don't click, etc. Things you might not expect to break, break. And it's hard to track it back to that checkbox.
I suppose the "block third-party cookies and site data" must be why this is mostly broken at home (doesn't show logins to 5-6 sites that I'm logged in to), but works properly at work (didn't bother to set that option there). Never toyed with exactly what the "site data" part means, though.
+1 very interesting case - company never located on US soil is being sued in California for something of a peanut size comparing to what Facebook does.
I know a bit off topic but I can't find how this case ended. Anyone with better Google skills??
So, loading favicon.ico via a redirect-type parameter:
<img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
Shouldn't a browser not send cookies when the request comes from a different domain? That would seem like the most sensible solution to me. Unless somebody can show a caveat of course.
This is exactly what the "block third-party cookies" option does. It really should be enabled per default, possibly with a permission prompt for cases where they are useful.
The interesting thing here is that third-party cookies usually allow a central site (e.g. an ad server) to track a user across many other sites. It's almost the other way around here: "other sites" can track status on a "central site".
No, that's not really related. Cross-site scripting's name comes from the vulnerabilities which allow an attacker to insert a <script> tag pointing at a script on another domain (or an inline script). It doesn't have to do with cookies and doesn't get around or really interact with the "block 3rd party cookies" setting.
Some interesting (an unethical) potential marketing opportunities here. For example, at the bottom of articles only show share actions for social platforms they are logged into.
Ethics are subjective, some people may find the fact you're identifying what websites the user is logged into creatively in this way unethical as it divulges what services the user uses without them necessarily consenting/realising you have access to this information.
So, in one case you get a list of 10 share buttons, in another you get a list of 5 that you're logged in to already. The information doesn't leave your machine, it's your browser that discovers it and the information is presented to you - what in particular is your take in the ethical problem here? To me that's like a program arranging your contacts by order of use without explicit requesting permission to do so. The page is already causing your browser to request lots of URLs that you didn't explicitly allow.
Maybe you just use it for prioritization. For example, if they are logged into Reddit and Twitter: show buttons for Reddit and Twitter, then just have a more button that opens a dialog with other supported services.
Sure, but if you identify they are logged into FB and Reddit, maybe only show those two options. If you can't determine they are logged into any service show them all.
Firefox has third party cookies enabled by default, PLUS they hide the setting so you have to search for it to disable it.
I'm 100% sure that they designed it that way to please Google. The pull requests to change it were ignored.
And then they claim to be your partner in keeping your privacy.
AFAIK only Safari has 3rd party cookies disabled by default.
There are only very few sites that require 3rd party cookies. I use none of them.
> AFAIK only Safari has 3rd party cookies disabled by default.
Safari's "3rd party cookies disabled" behavior is not the same as the Firefox one. Firefox's blocks third-party cookies (though it's hard to tell whether it just blocks _setting_ or also blocks _sending). Safari does something where they send the in some cases, but I'm having a hard time determining which cases, possibly because they've changed behavior a few times. At one point they blocked third-party cookies, _unless_ the third-party site has previously been visited as a first-party site. What this meant in practice is that Safari wouldn't block third-party cookies for things like Facebook or Google that you probably have visited as a first party.
At this point they _may_ be doing double-keying of cookies instead (top domain and third-party domain as key, not just the third-party domain). As I said, it's a bit hard to tell from the documentation out there, which is conflicting and contradictory, and I have no time right now to go read the source. And even then they might only be doing double-keying in the "never visited as first party" case...
The point of all of which is, "blocking third party cookies" is not a well-defined thing and different browsers mean quite different things, with different web compat impact and site breakage, when they say they do it.
Sorry I was wrong about Firefox, I must have reconfigured mine and forgotten about it. My point was that Privacy Badger alone won't prevent this attack, you have to disable 3rd party cookies.
Privacy Badger alone missed Reddit and the Google cluster, but picked off all of my other active logins. I'll be adding uBlock to see what it does with the survivors.
Yeah, it kind of shows conflicting results to me too.
While it correctly identified me being logged into HN, Medium, and Amazon, it completely missed reddit, GitHub, Twitter, Facebook, etc. I'm assuming it missed them because of me running Privacy Badger, but I'm kind of negatively surprised that Privacy Badger failed to protect me from those three I mentioned.
Blocking third-party cookies gives you full protection in this and other situations without any major annoyances.
Other subcomments here mention it, but every time this comes up it seems most people (including the article) aren't aware that blocking 3rd party cookies is a super easy fix and IMHO should be the default of browsers.
I've only ever had issues with this at my banking site because they use a third party to host their solution (Work around is opening the iframe). But I am now going to ask them to fix this (I guess all it requires is a sudomain pointing to the third party?).
Please help spread the message and ask trouble web sites to fix their shit or if I'm completely wrong, educate me and let's move things forward.
This is the first I had heard of GETs to login pages executing a redirect when the user is already logged in. I wasn't aware that so many did this.
Virtually every application I have built will render a simple response saying "You are already logged in" if you GET the login URL with an active session. As I understand the exploit, if a non-image is returned, the script assumes you are not logged in.
What value is there in redirecting a GET if you're already logged in? You redirect when the login form is submitted as a POST.
It retrieves the favicon (at least - haven't finished reading how it works) from YouPorn. If you're looking at DNS requests, it looks like similar to if you're browsing porn.
I'm guessing from other comments that it checks logins on a wide variety of sites, some of which may be NSFW. Some employers might not like you accessing NSFW sites.
If a filter is set up to not just block access to but also flag based on something as trivial to embed as a URL one would hope the technology would be a little bit more involved than a single hit on a .ico file for a flag.
A web filter / proxy does not have any way to tell whether any individual HTTP request was requested as a result of HTML embedding, bookmarking, user entry or clicking on a link.
If your position is that monitoring HTTP traffic is useless because favicons can be embedded into webpages, what method would you propose to monitor employees browsing habits then?
Furthermore, how would you monitor the HTTP traffic of suspected terrorists? After all, anyone can embed an image to "www.isis.com/blackflag.jpg" into any webpage, so shouldn't we stop monitoring all such traffic?
Your original assertion was that "it's a pretty crappy check", but I think what you are missing here is that it's the only possible check, minor irrelevant flaws and all.
No, it isn't the only possible check, but besides that the 'HTTP traffic of suspected terrorists' will be nicely encrypted in a way that you won't be able to intercept the URLS.
Lots of fearmongering here, if you want to monitor your employees browsing behavior then you're going to have to supply them with the hardware they do the browsing on, lock that hardware down and install some nannyware to do the monitoring. That way you won't have to MITM each and every connection and you'll have a more secure setup overall.
Attaching cookies to third-party requests is the source of many issues. In a similar demonstration [0], I showed that browser-based timing attacks (which can probably be considered as wont-fix as well) can be used to extract more specific information from social networks (e.g. one's political preference based on who they're following).
I don't know if anyone will read this at this point, but if you're going to proof-of-concept an exploit, please make that clear in the title or have an opt-in step with an explanation of what it will do like the EFF uses on https://panopticlick.eff.org/
I do not appreciate being tricked into running your exploit proof of concept, especially when you put content in it that I otherwise would not have clicked.
Nifty, with Firefox containers each one shows the "mode" I'm in. Hackernews for default container, personal has my Google world + open source + Dropbox, work has my work's Gmail world, and shopping has my Amazon account. It's like a verification that containers work!
There's an explanation further down the page, but essentially the redirect they choose is an image. You can tell if an image loaded successfully using JS, so if the redirect succeeds, that JS fires. If it fails (because the login page isn't an image), some other JS runs instead.
Oh okay, that makes sense. It's like those tracking/analytics where they know where a person came from previously to follow their "thought pattern" that is something I'm not 100% in either.
Yes, this needs to be made clear: Fanboy Annoyance won't protect you from Social Media Fingerprinting, it just prevents the proof of concept on that one site from working properly.
Disabling 3rd-party cookies in your browser is what protects people against Social Media Fingerprinting.
I always advise to disable 3rd-party cookies -- unfortunately this is not enabled by default in browsers. Even without this Social Media Fingerprinting issue, anyone looking at cookie payload (which also include local and session storage) on common top sites will be horrified at the result of not blocking 3rd-party cookies.
I found it's quite rare to find a site broken because 3rd-party cookies are blocked.
Thanks. I just enabled Fanboy’s Annoyance List in ublock origin. I've haven't spent any time digging through that filter list, but I'm now interested. Any other recommendations or resources?
Personally I went with EasyList and local EasyList against ads, Fanboy’s Annoyance and Anti-ThirdpartySocial because social media integrations generally annoy me. EasyPrivacy and Fanboy’s Enhanced Tracking List for privacy as well as the Adblock Warning Removal List and this cool thing against the EU cookie failure: https://raw.githubusercontent.com/r4vi/block-the-eu-cookie-s...
If I want to share content on a social platform I just copy the link and post it wherever I like. I don't need slow, endless lists of tiny buttons to nudge me into something.
So, did I just make all those sites that I'm not logged in to aware of my IP address? And if I didn't have ad blocking, would I then be seeing ads "of interest to" people who visit those sites?
Well its good to see its partly wrong for me. It shows HN correctly, but also shows me logged in to Facebook and Tumblr, not correct. And not logged in to gmail, which I am. Still, its a dangerous flaw.
How is being showed logged in any good when it's not true? Wasn't there also something about facebook creating accounts for people based on thier 3rd party promotion link ins and what not?
Can't get this to work. Turned off ublock origin, but still using https everywhere and blocking third-party cookies (for a recently discovered attack that utilizes cookies).
It says I'm not logged into any of its sites. Chrome on Android 6. No special privacy measures. I am logged into a few sites in the browser, including this one.
This 'fingerprint' changes as you login in and log out of various services, so it's not very reliable for uniquely identifying users. Regardless, it could still be used to profile you and then target content accordingly. For example, if you're logged into Hacker News, you're probably a programmer and you're probably more interested in an ad for web hosting than wedding dresses and visa versa for Pinterest.
Same here actually. I haven't logged into my reddit account in like two years now. Also don't have any cookies from reddit so I dunno. The site does show me logged out of everything else so I think it's either broken or something else.
Hmm weird, it correctly detected everything except for the false negatives of PayPal, Tumblr, and Spotify. Taking a look at the mechanism I have no idea why this would happen, and opening the relevant links in my browser gives the favicon as it should. Weird.
what is happening is not legal in the US and a large porn website was sued for doing it. they were printing hidden links on the page, then checking the color with JS to see if you had visited the destination url or not. judge didn't think it was a fair business practice. maybe these companies are not fixing this because of this legal precedent and figured no one was doing it?
for me, it throws several false alerts (Twitter, Flickr and few others). Is it possible that it's caused by my browser extensions (uBlock Origin, Disconnect)?
Google is basically omniscient on a user-profile basis with years of search, gmail, and youtube data on users. They should just write and algorithm and let it send out job offers with no human intervention, just like search.
Yeah, I thought "Well I only log on to corporate email and HN on this computer, so it's not going to drag up anything scandalous."
Our IT department LOVES complaining about users using the network inappropriately, so I can look forward to a discussion with HR about this. I guess I should have checked the comments first.
Yep I also clicked first. It might need an "NSFW" tag in the title to warn other users. (Let's see how long it takes for Corporate IT to come yell at us)
Yes. If you do anything remotely personal on a work computer, use a VPN or some other type of encrypted tunnel (an SSH SOCKS tunnel + FoxyProxy makes a good poor man's VPN, and can usually be configured to allow seamless integration with internal resources going over the LAN and external going over the tunnel).
I'm more likely to get in trouble for creating a VPN than I would be for accidentally sending a DNS request to YouPorn. Our IT department is insane about data security, and running traffic through another VPN will cause them to drop everything to harass you for as long as it takes you to prove that you weren't leaking sensitive information.
Very simple and cool exploit. I wouldn't be surprised if this technique is already in use on various ad platforms. A really simple pitfall I think most of us can confess to having done in the past (redirect attributes are pretty common in the wild).
Is this a spoof? it is 100% WRONG for me on Vivaldi browser.
Says im logged to FB and nothing more. I dont even have a bookface account, but I do have gmail/YT/github/reddit and few other open in the adjacent tabs and fully logged in.
Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.
It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.