in All Posts, SEO/SEM

Detect if visitors are logged into Twitter, Facebook or Google+


Example output – try it here.

The quick version: I’ve found a way to abuse the login mechanism for both Twitter and Google to detect whether a user is logged in to that service. Facebook provides an API for this. So I provide a cross-browser javascript template that works for all 3 networks. If you want to get straight to the code jump to the implementation section or check out the Social Network Login Status Detector Demo.

Introduction

I was interested in seeing whether it would be possible to track which social networks a website visitor is logged into at the time of their visit; it could be cool for selecting which social media buttons you show them, what sort of marketing you do to them, or simply to evaluate whether you should be participating more on a certain social network. I was interested in Facebook, Twitter and Google+; as an SEO I was also interested in whether people were logged into a general Google account so I could compare which percentage of those had a Google+ account.

A quick search turned up an interesting post from Mike Cardwell who had a method for doing this for Facebook, Twitter and Gmail, but unfortunately it didn’t work in Internet Explorer. Secondly, I knew there was a better method than Mike’s for Facebook, which I’d seen presented by Mat Clayton of Mixcloud; he uses Facebook’s API to do the same thing (see slide 15). Mat’s method works great across browsers, so that solved the Facebook side of this.

Finding a way in to Twitter and Google+

Wat I needed was a method for detecting whether a visitor to my site was logged in to Twitter, Google and more specifically Google+.

Thanks to abraham from Hacker News I discovered that Twitter has an undocumented endpoint that simply returns true or false for whether the current user is logged in! It is very simple:

  1. <script>
  2.     function twitterLoginStatus(state) {
  3.       alert(state);
  4.     }
  5. </script>
  6. <script src='https://api.twitter.com/sessions/present.js?callback=twitterLoginStatus'></script>

However, due to boring technical details concerning MIME types this code doesn’t work on IE9, which (unfortunately) for many purposes makes it less than ideal.

Browsers nowadays are very sensitive to cross site requests and the all to common exploits that abuse them, and so unless the 3rd party site plans to allow it using javascript for this is probably going to be difficult. The other great way to make cross domain requests is with image tags.

Tricking login mechanisms

I came up with the theory that I needed to try to access and image on Twitter/Google’s sites that would only be available to users when they are logged in. Using javascript I could detect whether the image loaded or not and thus determine whether the user was loggedin. However, these are obviously going to be few and far between (image assets are often static and so on CDNs and/or not protected in such a manner), if they exist at all (I didn’t find any), so I was back to square one. I needed a protected area of the site, but needed the file contents to be an image.

My winning moment was realising that some naive login systems might be open to abuse for exactly this purpose. It is often the case that you try to access a specific page on a site, lets say the “Upload a photo” page but you need to be logged in to do so. If you are not logged into the site in question, when you visit the URL the page redirects to the Login page to authenticate you are who you say you are; however the site wants to be helpful and send you to the page you were looking for so they keep a track of that target page in the URL as a parameter and then helpfully redirect you to that page after login is complete.

What happens if you visit the login page with a ‘redirect on login’ parameter and you are already logged in? When implemented in a naive fashion you are simply immediately redirected to the page specified in the parameter. Some sites limit that parameter to being another page on the same domain, but we’ll see that doesn’t help for this trick.

This mechanism is open to abuse in exactly the way I needed; I could set the ‘redirect on login’ page to be an image file on the same domain. For example:

  1. <img src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif" />

In this example, if I am logged in Twitter is kind enough to 302 redirect me to the image file I specified, but if I am not logged in I am show the login page. It turns out that both Twitter and Google’s login mechanisms are susceptible to exactly this trick. It seems LinkedIn and Tumblr are currently immune to this, though I didn’t dig too deep so there might be another redirect URL for them.

Putting it all together

From this point on it was quite easy to hack together some javascript; just stick this code in the <head></head> section of your page:

  1.  <script type="text/javascript">
  2.    function show_login_status(network, status)
  3.    {
  4.     if (status)
  5.     {
  6.      alert("Logged in to " + network);
  7.     }else{
  8.      alert("Not logged in to " + network);
  9.     }
  10.    }
  11.  </script>

Then, anywhere in your code that seems like a nice place stick this HTML:

  1. <img style="display:none;"
  2. onload="show_login_status('Google', true)"
  3. onerror="show_login_status('Google', false)"
  4. src="https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&followup=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&chtml=LoginDoneHtml&checkedDomains=youtube&checkConnection=youtube%3A291%3A1"
  5. />
  6.  
  7. <img style="display:none;"
  8. onload="show_login_status('GooglePlus', true)"
  9. onerror="show_login_status('GooglePlus', false)"
  10. src="https://plus.google.com/up/?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png&type=st&gpsrc=ogpy0"
  11. />
  12.  
  13. <img style="display:none;" src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif" onload="show_login_status('Twitter', true)" onerror="show_login_status('Twitter', false)" />
  14.  
  15. <div id="fb-root"></div>

Finally, somewhere after that HTML stick this Javascript:

  1. <script>
  2.  window.fbAsyncInit = function(){
  3.   FB.init({ appId:'xxxxxxxxxxxx', status:true,  cookie:true, xfbml:true});
  4.   FB.getLoginStatus(function(response){
  5.    if (response.status != "unknown")
  6.    {
  7.     show_login_status("Facebook", true);
  8.    }else{
  9.     show_login_status("Facebook", false);
  10.    }
  11.   });
  12.  };
  13.  // Load the SDK Asynchronously
  14.  (function(d){
  15.   var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
  16.   js = d.createElement('script'); js.id = id; js.async = true;
  17.   js.src = "//connect.facebook.net/en_US/all.js";
  18.   d.getElementsByTagName('head')[0].appendChild(js);
  19.  }(document));
  20. </script>

You will need to replace xxxxxxxxx above with the appID for an app created for your domain; if you don’t have one you can create one in about 60 seconds. Simply visit https://developers.facebook.com/apps whilst logged in to Facebook, and click “Create New App”. You will be prompted for a “Display Name”, and you can enter any old dummy text here and press Continue. On the next page it is only necessary to fill out the “App Domain” and the “Website” with the URL of the domain you want to use this code on. Do that, save changes and grab the “App ID” from the top of the page and enter it in the code above.

You should be all set! Now you can change your alert() functions to do whatever you want based on the login status of the user. See a demo of it in action Social Network Login Status Detector Demo.

Wrap up

In my testing this worked on a range of versions of Firefox and Chrome, IE versions 7 and up, Safari and Opera. It may be that these loopholes get fixed, but in the meantime I implore you to only use this in nice ways. There is an argument that a 3rd party even knowing what other sites you are logged into is a breach of your privacy, and I can certainly see why some people would feel like that (especially if this was scaled up to more personal sites that you might be logged into). If you want to prevent this then for Firefox you can try RequestPolicy or NoScript. For Chrome you can give ScriptNo a shot. On IE you can try giving Firefox or Chrome a try. 😉

However, I do also think that this sort of thing can be used in good ways – serving only a subset of social buttons to your users, or determining whether you should be providing support on a given social platform etc. If anyone has any nice suggestions for other ways you could use (nicely) use this, I’d love to hear.

Write a Comment

Comment

74 Comments

  1. Very interesting approach to this challenge. I have been trying to think of a way to detect whether someone is logged into a social network or other service, but wasn’t able to figure it out. Looks like you’ve solved this, at least temporarily, until they change something so that this no longer works.

  2. I try to detect visitators from social netkworm from year but useles! Now after I read this article I will try to follow your advices and I hope to work!
    Thanks for this great article!

  3. Really nice. I setted it up and worked fine. It still works fine in Twitter em G+. With Facebook I have an error message saying the SDK version is not supported anymore! Any idea how to fix? Anyway, thank you so much!

  4. I am a beginner at this, but is it possible to indentify the accounts who are logged in? it is possible to know if somone is logged in in a social media site, but is it possible to know the name/adress of that account? If that is possible than clearing cookies is useless because they will track you anyway everytime you are logged in.

  5. Hi Tom,

    is there a way to check whether the user is logged in a social network and if yes, show their profile picture and name somewehere on the website?

    Thanks, Roman

  6. Nice solution to a dilemma we have had for some time now. It’s all nice to send your user to a G+ service but it get’s very nice when you can add logic according to their login/off status. Thanks!

    • Nice post. Is there anyway we can get the username for each as well. For e.g. if a user is logged on to gmail, fb or twitter then display the associated username or email related to the account?

Webmentions

  • How to confirm a Google user’s specific email address (Bug Bounty Submission) - The web development company January 19, 2019

    […] previously written about identifying whether a user is logged in to a certain social network, and this attack is a variation of that method (albeit more serious, […]

  • Full Third-Party Cookie Blocking and More, Hacker News - DIGITALIVE.WORLD January 19, 2019

    […] discussed by Jeremiah Grossman back in and and Tom Anthony in , and set up by Robin Linus in 2019 as a live demo with which you can test your browser , this […]

  • Full Third-Party Cookie Blocking and More | WebKit January 19, 2019

    […] discussed by Jeremiah Grossman back in 2008 and Tom Anthony in 2012, and set up by Robin Linus in 2016 as a live demo with which you can test your browser, this […]

  • L’apocalypse des Cookie se poursuit – OWDIN January 19, 2019

    […] l’ont expliqué Jeremiah Grossman en 2008 et Tom Anthony en 2012, et comme l’a mis en place Robin Linus en 2016 sous la forme d’une démo en direct avec […]

  • 29 Ways to Use Remarketing (& How to Do It) | Raven January 19, 2019

    […] Anthony shared a very cool workaround for figuring out whether someone is logged into a social network or […]

  • Determining whether users are logged into Twitter | Reflections January 19, 2019

    […] Detect if visitors are logged into Twitter, Facebook or Google+, Tom Anthony explains how to determine what social networks your users are logged into. The […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ - Jacob is studying on web programming January 19, 2019

    […] javascript template that works for all 3 networks. If you want to get straight to the code jump to the implementation section or check out the Social Network Login Status Detector […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ - Jacob is studying on web programming January 19, 2019

    […] http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/ 에서 참조 […]

  • Loginstatus für Twitter, Facebook oder Google+ bestimmen. | No more cubes. January 19, 2019

    […] via Detect if visitors are logged into Twitter, Facebook or Google+. […]

  • Checking if a user has authenticated my app in Twitter January 19, 2019

    […] I have an app that allows facebook and twitter logins. For facebook, there’s a javascript API that can tell me, on page load, if a user is both logged into facebook and connected to my app. This is useful in case their session has expired, so I can easily log them in again. However, with twitter, I haven’t been able to find anything like this. There’s a very hacky way of detecting if the user has logged in (taken from here): […]

  • How to get almost every visitor to like your website (Facebook) | Aktarer Zaman January 19, 2019

    […] is set up is that it first detects if the visitor is logged into facebook. It does this through a hack revealed here. If you are not logged in, it removes the trailing iframe. If it doesn’t do this, a Facebook […]

  • Twitjack 100,000 followers! - Web Marketing School January 19, 2019

    […] 2) identify which visitors are logged into twitter/G+/facebook etc. – you can do this using a technique written about in much better detail that I will go into here by a friend of mine and allround top SEO bloke, Tom Anthony […]

  • 3 Cool Analytics Hacks in Google's new Universal Analytics.js January 19, 2019

    […] final tip actually comes courtesy of Tom Anthony who first wrote about this last year on his personal blog here. However, as with other things in this article the actual implementation needs to change in order […]

  • Updated Code: Which Social Networks Are Your Visitors Logged Into | Alex Czartoryski's Blog January 19, 2019

    […] in February, Tom Anthony wrote a couple of great posts on how to detect if visitors were logged into a social network and then how to use Google Analytics to track this […]

  • 株式会社ISSUN(イッスン) SEO的に見た、ECサイトで「あなたが取り組むべき15のページ要素」2012年版 » 株式会社ISSUN(イッスン) January 19, 2019

    […] また、facebookやtwitterなどにログインしているユーザに、特別なメッセージを表示させることでシェアを誘発する方法も可能で、これは興味深い解説でした。http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/ […]

  • Check if User is Logged Into ANY Site - Facebook, Google Plus, Gmail, StumbleUpon, etc January 19, 2019

    […] can find more details and elaborations here: https://grepular.com/Abusing_HTTP_St…te_Information http://www.tomanthony.co.uk/blog/det…cial-networks/ I must say though that finding whether a user is logged in or not is very useful in Clickjacking […]

  • Check if User is Logged Into ANY Site - Facebook, Google Plus, Gmail, StumbleUpon, etc January 19, 2019

    […] can find more details and elaborations here: https://grepular.com/Abusing_HTTP_St…te_Information http://www.tomanthony.co.uk/blog/det…cial-networks/ Reply With […]

  • Using WordPress? Track which social networks your visitors are logged into via Dan Taylor | That's All I Have To Say About That January 19, 2019

    […] by Tom Anthony’s initial post outlining both Twitter and Google’s login mechanism (Facebook below), and authored by Marty […]

  • Who Knows Your Are Logged In? | As I See It January 19, 2019

    […] you follow through on this website – http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/ – you will find an article that explains the mechanics and from there I imagine a technically […]

  • Detect Which Social Networking Sites Website Visitors Are Logged Into January 19, 2019

    […] Clever hack. […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ | ITSecurity | Scoop.it January 19, 2019

    […] background-position: 50% 0px; background-color:#222222; background-repeat : no-repeat; } http://www.tomanthony.co.uk – Today, 1:24 […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ | SEO php script | Scoop.it January 19, 2019

    […] background-position: 50% 0px; background-color:#222222; background-repeat : no-repeat; } http://www.tomanthony.co.uk – Today, 9:39 […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ | SEO & Webdesign | Scoop.it January 19, 2019

    […] background-position: 50% 0px; background-color:#222222; background-repeat : no-repeat; } http://www.tomanthony.co.uk (via @seotweetz) – Today, 1:50 […]

  • Detect if visitors are logged into Twitter, Facebook or Google+ | Social Media Marketing & IT Strategie | Scoop.it January 19, 2019

    […] background-position: 50% 0px; background-color:#222222; background-repeat : no-repeat; } http://www.tomanthony.co.uk (via @eklaus) – Today, 12:20 […]

  • Social Networks: Trick zeigt Login bei Twitter, Facebook oder Google+ an January 19, 2019

    […] […]