The quick version: I’ve found a way to abuse the login mechanism for both Twitter and Google to detect whether a user is logged in to that service. Facebook provides an API for this. So I provide a cross-browser javascript template that works for all 3 networks. If you want to get straight to the code jump to the implementation section or check out the Social Network Login Status Detector Demo.
Introduction
I was interested in seeing whether it would be possible to track which social networks a website visitor is logged into at the time of their visit; it could be cool for selecting which social media buttons you show them, what sort of marketing you do to them, or simply to evaluate whether you should be participating more on a certain social network. I was interested in Facebook, Twitter and Google+; as an SEO I was also interested in whether people were logged into a general Google account so I could compare which percentage of those had a Google+ account.
A quick search turned up an interesting post from Mike Cardwell who had a method for doing this for Facebook, Twitter and Gmail, but unfortunately it didn’t work in Internet Explorer. Secondly, I knew there was a better method than Mike’s for Facebook, which I’d seen presented by Mat Clayton of Mixcloud; he uses Facebook’s API to do the same thing (see slide 15). Mat’s method works great across browsers, so that solved the Facebook side of this.
Finding a way in to Twitter and Google+
Wat I needed was a method for detecting whether a visitor to my site was logged in to Twitter, Google and more specifically Google+.
Thanks to abraham from Hacker News I discovered that Twitter has an undocumented endpoint that simply returns true or false for whether the current user is logged in! It is very simple:
-
<script>
-
function twitterLoginStatus(state) {
-
alert(state);
-
}
-
</script>
-
<script src='https://api.twitter.com/sessions/present.js?callback=twitterLoginStatus'></script>
However, due to boring technical details concerning MIME types this code doesn’t work on IE9, which (unfortunately) for many purposes makes it less than ideal.
Browsers nowadays are very sensitive to cross site requests and the all to common exploits that abuse them, and so unless the 3rd party site plans to allow it using javascript for this is probably going to be difficult. The other great way to make cross domain requests is with image tags.
Tricking login mechanisms
I came up with the theory that I needed to try to access and image on Twitter/Google’s sites that would only be available to users when they are logged in. Using javascript I could detect whether the image loaded or not and thus determine whether the user was loggedin. However, these are obviously going to be few and far between (image assets are often static and so on CDNs and/or not protected in such a manner), if they exist at all (I didn’t find any), so I was back to square one. I needed a protected area of the site, but needed the file contents to be an image.
My winning moment was realising that some naive login systems might be open to abuse for exactly this purpose. It is often the case that you try to access a specific page on a site, lets say the “Upload a photo” page but you need to be logged in to do so. If you are not logged into the site in question, when you visit the URL the page redirects to the Login page to authenticate you are who you say you are; however the site wants to be helpful and send you to the page you were looking for so they keep a track of that target page in the URL as a parameter and then helpfully redirect you to that page after login is complete.
What happens if you visit the login page with a ‘redirect on login’ parameter and you are already logged in? When implemented in a naive fashion you are simply immediately redirected to the page specified in the parameter. Some sites limit that parameter to being another page on the same domain, but we’ll see that doesn’t help for this trick.
This mechanism is open to abuse in exactly the way I needed; I could set the ‘redirect on login’ page to be an image file on the same domain. For example:
-
<img src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif" />
In this example, if I am logged in Twitter is kind enough to 302 redirect me to the image file I specified, but if I am not logged in I am show the login page. It turns out that both Twitter and Google’s login mechanisms are susceptible to exactly this trick. It seems LinkedIn and Tumblr are currently immune to this, though I didn’t dig too deep so there might be another redirect URL for them.
Putting it all together
From this point on it was quite easy to hack together some javascript; just stick this code in the <head></head> section of your page:
-
<script type="text/javascript">
-
function show_login_status(network, status)
-
{
-
if (status)
-
{
-
alert("Logged in to " + network);
-
}else{
-
alert("Not logged in to " + network);
-
}
-
}
-
</script>
Then, anywhere in your code that seems like a nice place stick this HTML:
-
<img style="display:none;"
-
onload="show_login_status('Google', true)"
-
onerror="show_login_status('Google', false)"
-
src="https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&followup=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&chtml=LoginDoneHtml&checkedDomains=youtube&checkConnection=youtube%3A291%3A1"
-
/>
-
-
<img style="display:none;"
-
onload="show_login_status('GooglePlus', true)"
-
onerror="show_login_status('GooglePlus', false)"
-
src="https://plus.google.com/up/?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png&type=st&gpsrc=ogpy0"
-
/>
-
-
<img style="display:none;" src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif" onload="show_login_status('Twitter', true)" onerror="show_login_status('Twitter', false)" />
-
-
<div id="fb-root"></div>
Finally, somewhere after that HTML stick this Javascript:
-
<script>
-
window.fbAsyncInit = function(){
-
FB.init({ appId:'xxxxxxxxxxxx', status:true, cookie:true, xfbml:true});
-
FB.getLoginStatus(function(response){
-
if (response.status != "unknown")
-
{
-
show_login_status("Facebook", true);
-
}else{
-
show_login_status("Facebook", false);
-
}
-
});
-
};
-
// Load the SDK Asynchronously
-
(function(d){
-
var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
-
js = d.createElement('script'); js.id = id; js.async = true;
-
js.src = "//connect.facebook.net/en_US/all.js";
-
d.getElementsByTagName('head')[0].appendChild(js);
-
}(document));
-
</script>
You will need to replace xxxxxxxxx above with the appID for an app created for your domain; if you don’t have one you can create one in about 60 seconds. Simply visit https://developers.facebook.com/apps whilst logged in to Facebook, and click “Create New App”. You will be prompted for a “Display Name”, and you can enter any old dummy text here and press Continue. On the next page it is only necessary to fill out the “App Domain” and the “Website” with the URL of the domain you want to use this code on. Do that, save changes and grab the “App ID” from the top of the page and enter it in the code above.
You should be all set! Now you can change your alert() functions to do whatever you want based on the login status of the user. See a demo of it in action Social Network Login Status Detector Demo.
Wrap up
In my testing this worked on a range of versions of Firefox and Chrome, IE versions 7 and up, Safari and Opera. It may be that these loopholes get fixed, but in the meantime I implore you to only use this in nice ways. There is an argument that a 3rd party even knowing what other sites you are logged into is a breach of your privacy, and I can certainly see why some people would feel like that (especially if this was scaled up to more personal sites that you might be logged into). If you want to prevent this then for Firefox you can try RequestPolicy or NoScript. For Chrome you can give ScriptNo a shot. On IE you can try giving Firefox or Chrome a try. 😉
However, I do also think that this sort of thing can be used in good ways – serving only a subset of social buttons to your users, or determining whether you should be providing support on a given social platform etc. If anyone has any nice suggestions for other ways you could use (nicely) use this, I’d love to hear.
Tom, this is great, tx!
Your last point about determining if to support that social network is the crux for me, so lets say you want to gather the evidence for management for intelligence based decisions? Use Dennis Paagam’s GA event tracking call addition to the script and generate the reports in Analytics. See his post for details http://devblog.springest.com/how-to-find-out-if-your-users-are-on-facebook especially piece about preventing the bounce skew.
Lastly, are you able to detect if user is YouTube logged in also?
Just wait until a gmail account is the only way to log into youtube and then gmail account equals youtube account 🙂
It gets it backwards for me. Tells me I’m logged in to services that I’m not currently logged in to, and tells me that I’m not logged in to services that I am logged in to.
Note that the text colour is confusingly red for logged in and green for not logged in.
Safari on iPad says im logged in to all 4 services. I only have google and google+.
Doesnt work for me.
Computer says:
– NOT logged in: Facebook, Twitter, Google+
– Logged in: Google
Reality is: I do not have a google account and I am currently logged in into Facebook (another tab).
I am using Fireforx 10.0.2 and AdBlockPlus.
Script doesnt work!
Hi Stefan,
I imagine it is AdBlockPlus that is screwing it up – as the demo page mentions, some extensions will block this from working. You don’t have any Google account? No YouTube account or Gmail?
Thanks for the feedback. 🙂
It works for me (with AdBlock Plus)
Thanks for a great post.
It seems to work fine for me on Chrome. It got everything right… Not logged in anywhere.
How could we then gather all this information in a useful manner? Can this report be integrated to GA?
Tony – I already did such an integration: http://www.seomoz.org/blog/visitor-social-network-login-status-google-analytics
Have fun! 🙂
Sorry to be rude but this is so damn old. I saw this like 1 1/2 year ago on another blog so I really don’t get the buzz here.
Notable that it doesn’t detect the networks as logged in when I use hootsuite…
Okay, it’s less than a year old, but still:
https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
Once you’ve gained a little knowledge about Http it’s really nothing special.
Hi Christian,
You’ll notice that I link to that exact post in my article, and I also point out that it doesn’t work on Internet Explorer (any version), and doesn’t provide any method for Google+ either. The HTTP code trick doesn’t work with IE, and so the technique used here is completely different.
Thanks for taking the time to comment. 🙂
Thanks for the share. More importantly, thanks for pointing out ScriptNo for Chrome. I just recently switched back to using Chrome and didn’t have that extension yet.
I think this is badass.
I personally think it can have massive implication if you are able to deliver content based on the user needs.
We currently reward users with discount vouchers for liking our page on Facebook and working on the script for Google Plus and Youtube Subscribers.
I would be looking at displaying this message in a manner that states:
“Hey, you not logged in Facebook. Did you know if you log in you can get ………”
or
“Great you logged in to Facebook. Click the ‘Like’ button below and download your……”
Azzam
IE blocks this with tracking protection BTW
Shit Happens! I don’t like this, but I have installed ScriptNo 😉
You don’t need to make your web looks like crap by using NoScript. Just disable third party cookies in your browser’s privacy settings and this kind of detection won’t work.
This is great! I found this on SEOmoz. Do you know if there is a way to capture and push linkedin information as well?
Thanks for the info about RequestPolicy. Never heard of that before.
The demo shows, that I’m logged in to FaceBook, Twitter and GooglePlus, but I do not even have an account on one of these. I’m using Firefox 10.0.2 on Linux Mint 12 with no noscripts-addon installed.
I was thinking about similar idea. Would it be possible to track facebook users to see who they visit?
Tom already knows I absolutely love his post here and on SEOMoz on this topic. That’s why I also created this WordPress plugin: http://www.springest.co.uk/social-analytics/. Hopefully it will help the less code savvy people to also analyze this kind of data.
Doesn’t work. I don’t have an account with neither Facebook nor Twitter but the page shows that I am supposedly logged into both services
Here is another WordsPress plugin: http://www.seomoz.org/blog/visitor-social-network-login-status-google-analytics
It comes with pre-defined Custom Reports for Google Analytics
Can I have more than a FB.init by page? becouse I have Like button at page.
Question: isn’t being logged into google and google plus really the same thing at this point?
Also: I just did a little more indepth-search and couldn’t find a way to do this for tumblr or linkedin either. I think this is worth a little more effort.
We use a similar tech on our series template on our wiki to determine a user’s eligibility for upvotes and downvotes for the topics on reddit/digg… It could be used to decide whether or not to display the share buttons, I suppose.
Nice trick – worked for me in FF.
One request – I find your site really hard to read, having light gray text on a white background. Not everyone has 20/20 vision – don’t be afraid to use a little contrast sometimes! If not for the magic of firebug I’d have given up way before the end, which would have been a shame.
The Adblock filter “*$third-party” helps a lot; the demo page couldn’t even try to figure out i I was logged in anywhere, and the third-party sites received no notification that I accessed the demo page.
is this still working? it worked when I tested the demo a few days ago but now it doesn’t. I’m using the latest version of Chrome.
Works for me on latest Chrome. What doesn’t work for you?
Great post. Linking from the headline I was thinking you might be initiating an oauth request. This is even better.
Your demo seems to think I’m not logged into g+ but I totally am. I +1’d your post and clicked through without having to log in. I’m on the new chrome for android.
Interesting. I never tested it on mobile browsers. Did it work before from Android?
It showed me as not logged into anything, although I’m logged into Google and Facebook. Then I realized that it’s because I’m using Ghostery!
Another way to defeat this in Chrome – open an incognito window for gmail, facebook, twitter etc. This script will work in an incognito window, but not in a normal window. It probably isn’t a bad policy to use incognito for “important” sites, while using chrome in “normal” mode for general web browsing.
Great article Tom. It’s not detecting any of my logins when I am logged into G+, FB, and Twitter. ScriptNo, or possibly one of the other security extensions, seems to be doing it’s job.
doesnt work for me.
in ff10: FB doesnt get even shown, all others: “not logged in”. im in twitter and google right now.
in chrome: logged into FB (which i am not in chrome); not logged into twitter (which i am).
but… kinda sweet idea, this.
I made javascript library based on your technique https://github.com/stereobooster/social_detector
Seems to work fine for me and accurately too.
CSFire is the right defense against this kind of abuse. Though NoScript does block it, browsing with Javascript disabled is unrealistic.
I just wanted to say thanks, I use this for a fair few clients and its great for them to see how socially active users are but it also is useful for showing them why they should invest time in social media
It does NOT work on Chrome, not with g+ and Google at least, which, I believe, is due to the #rd party cookies being blocked.
Worked on Opera Mini.
Can we get user info like screen_name from twitter
@Hishikesh No it’s not possible to gather screen name without making an OAuth dance.
Hello Tom,
The code works great but the browser stores cache data and the code shows that we are logged in even if we have logged out. There should be some way to clear the browser cache on page load.
+1 for this post. Thank you!