• XSS.stack #1 – первый литературный журнал от юзеров форума

Получение списка соцсетей посетителя сайта

Отслеживать
Resurgentis

Resurgentis

HDD-drive
Пользователь
Регистрация
27.12.2020
Сообщения
26
Решения
1
Реакции
23
Хотелось бы прикрутить к себе на сайт такую фичу, но к сожалению нигде не смог найти подобных решений.
Каким образом возможно реализовать получение списка сервисов в которых зарегестрирован юзер? Подобное уже реализовано на сайте Whoer.net.
 
Решение
Hi Eject I have worked on things which you have mentioned above as my Deanonymization project and I would be happy to help you understand the scenario how it actually happens.
So we just use the favicon.ico load method to know if any user is currently logged into his / her specific website or not. Suppose that the Gmail.com has a redirect endpoint after login:


Here simply we will request favicon.ico file after login so if users will be logged into their Google account in browser then the favicon.ico image file will be loaded without showing login page but if incase user is not logged into his Google account he will be redirected to the login page and the favicon.ico file won't be...
Сортировать по дате Сортировать по голосам
Hi Eject I have worked on things which you have mentioned above as my Deanonymization project and I would be happy to help you understand the scenario how it actually happens.
So we just use the favicon.ico load method to know if any user is currently logged into his / her specific website or not. Suppose that the Gmail.com has a redirect endpoint after login:


Here simply we will request favicon.ico file after login so if users will be logged into their Google account in browser then the favicon.ico image file will be loaded without showing login page but if incase user is not logged into his Google account he will be redirected to the login page and the favicon.ico file won't be able to load. So using the image onerror or image onload function we can know if the current visitor is logged into their specific account or not.

This is what you were looking for:
https://github.com/RobinLinus/socialmedia-leak
More info:

Detect if visitors are logged into Twitter, Facebook or Google+

Javascript code to determine whether a website visitor is currently logged into a social media site (Twitter, Facebook or Google+).
www.tomanthony.co.uk

This is a basic method of cross site information leakage using Favicon.ico or image files and the whoer.net site uses the same method but if you want me to explain other methods also you can let me know :)
 
За 1 Против
Решение
Подобные сервисы используют кликджекинг если под ру, и получают твои соц сети(id,мыло майл, Фейсбук и т д), соцфишинг иначе говоря. На whoer.net скорее всего JS- скрипт который копается в куках твоего браузера, если зайдешь на сайт с другого браузера или инкогнито,то получишь другой результа. по ру знаю подобный сервис и не один, тот же соцфишинг, гугл в помощь) по анализу куки тоже есть название вспомню напишу.
 
За 0 Против
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх