grap a site visitors Id's

If it doesn't fit anywhere else, it will fit here.
Post Reply
johntestler
n00b
Posts: 3
Joined: Mon Jan 02, 2012 10:40 pm

grap a site visitors Id's

Post by johntestler » Tue Jan 03, 2012 1:25 am

hey I want to grab the Facebook and twitter ID of a visitor to my site

how is this done without asking them

I can find 100 ways which all need approval from the user - not what i want to do

I can bind there cookie and send back to Facebook or twitter to get the id - but don't know how to get that to run on users side with out asking then nicely "can I get you run this for me please?"

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: grap a site visitors Id's

Post by Cool_Fire » Tue Jan 03, 2012 9:11 am

Cookies are generally also protected these days. Your best bet would be some theoretical Javascript attack.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

johntestler
n00b
Posts: 3
Joined: Mon Jan 02, 2012 10:40 pm

Re: grap a site visitors Id's

Post by johntestler » Tue Jan 03, 2012 7:44 pm

That is all great, but what would this theoretical attack look like?
there is no challenge in indirectly getting the user to click a link and piggy back on an event. I what to know who they are the second the come to the site.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: grap a site visitors Id's

Post by Cool_Fire » Tue Jan 03, 2012 8:15 pm

You can do it one of two ways (that I can think of right now.)

1. XSS something into the page you want to steal the cookie from. (If it doesn't work from the client side, you need a persistent XSS on the site.)
2. Javascript that somehow manages to break outof it's browser tab/sandbox and propagate to other open tabs, until it gets to the tab with the site you want. At that point you should be able to get access to that sites cookies.
There was something regarding this on one of the 28c3 talks, but I don't recall which one.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply