There is a well known vulnerability in many web platforms that allows a potential attacker to determine the online platforms you are signed up to and are currently logged into. The exploit is pretty simple and actually easy to fix, however, most companies have not bothered to fix it because it does pose a serious risk to their platforms. It does pose a potential issue for our privacy so let’s briefly look at how we can protect ourself.

If you visit this website from a Chrome browser you will probably find a list of services you are currently logged into. This exploit works by utilising a redirect parameter in the login endpoint. If the attacker makes a request and they are redirected to a favicon it means you have an account on the platform and you are logged in. Alternatively, if their request is redirected to the login screen, the attacker would know you are not currently logged in to the service.


Ok, now let’s visit the same website from a hardened browser like Firefox. Notice now that the login detection doesn’t work because your hardened browser is blocking requests to their domain.


In short, the simple protection against this exploit is to switch from using chrome to a browser such as Firefox which blocks requests.