Abusing HTTP Status Codes

The result of abusing HTTPS status codes is actually very severe. The format of this attack is fairly simple. A user will upload a picture into a website such as gmail.com on their account. Then they will enable to picture to be seen by everyone so their fore it is public. By doing so this allows hackers to almost inject different types of code into the html. This code is written in java script and can be prevented by just turning off the enabled java script option. However for a hacker this tool is very interesting. By injecting such code they can potentially tell if you are logged into a specific sight or not. They created a code that checks and sees if you are logged onto a website if not the status code returns something to the effect of “no tlogged in” if they are on the site then it will return “logged in”. This type of attack is very interesting because it is almost like a GPS tracker on your computer. The person who created the hack for better or less track a lot of your movement on the internet and ultimately stalk you. This type of script has worked with internet explorer, Mozilla Firefox , safari and chrome. This hack cant also attack Facebook users and see when they are logged on using a manipulated code but it is limited by some browsers.

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

Advertisements