How many sites are you logged into?

[GTP]

"Any site you visit can probe you to see whether you're logged into other specific sites.
Same Origin Policy strongly restricts which web content JavaScript can access to coming from
the same hosting site. But IMAGES, being benign and useful, are excluded from the Same Origin
Policy.
The login mechanisms of most major sites will check every incoming request for the presence of
a logged-in session cookie and, if not present, will redirect the user to their logon page.
In order to present the site's logo in the URL, browser tabs, etc., site place an image called
"favicon.ico" in the root (/) page of the server where all visiting web browsers know to fetch it.
These facts enable JavaScript from an snooping site to probe any user's browser for their current
logged-in status on another other compliant site. (And most sites are compliant.)
The snooping script simply requests the target site's /favicon.ico file, which the same origin
policy allows. If the image request succeeds -- as it would if the user is logged in and the site
returns the image -- the snooping JavaScript is able to detect the successful image load. But if
the user is NOT currently logged on to the target site, the target site will return a
redirect-to-login URL instead of an image, and the snooping JavaScript will see that as an image
load failure.
Thus, while this is not a security violation per se, it's a privacy violation. The snoopy site likely
DOES know who YOU are... and it can determine whether YOU are likely using any other service
that you are currently logged into.
And... since ADVERTISEMENTS are also allowed to run their own JavaScript for ad rotation, etc.,
that also means that the third part hosts of any ads can similarly perform a rather sophisticated
profiling of the person who is visiting the site hosting the advertisement."

You can check here. https://robinlinus.github.io/socialmedia-leak/


Source: GRC.com Security Now! #636

 

[LostBit]

For the sake of simplicity, I rely solely on uBlock Origin.

 

[mraikes]

This is interesting. It says I'm logged into three things. Gmail (duh). Youtube (well....ok). And Facebook (what!?!).

I don't use Facebook at all, although I DO have a login - and get thoroughly aggravated when it's the ONLY place to get information about a business or event. I can't even recall the last time I logged into it.

So now I've selectively deleted Facebook's cookies from chrome and added it to the block list. Now down to only the two logged in sites.

 

[fencepost]

This is why I use uMatrix on my daily driver:

 

[mraikes]

This is why I use uMatrix on my daily driver

Does using something like umatrix have any negative or unintended consequences?

 

[fencepost]

Absolutely - a lot of sites these days depend on loading chunks of Javascript from jquery, Google, Amazon, etc. and most of those aren't reachable by default from a webpage. I believe that Decentraleyes addresses some of that by maintaining local copies instead, but I haven't tested in detail and there are certainly sites where I have to pop it open and say "allow, allow, allow, allow, allow." Sites that I visit regularly I've saved those settings for, but that's not 100%.

 

[ComputerRepairTech]

I'm just logged into battle net.....that would be sweet if this caught on and all my advertisements were video game related xD

 

[GTP]

Does using something like umatrix have any negative or unintended consequences?

I have uMatrix on my "business" laptop and it's locked down fairly solidly. I don't use it for much other than my accounts proggy.
On all other machines I use uBlock Origin which gives a quick option (as does uMatrix, but I don't want to fool with it) to allow/disallow sites if needed.
I "allow" very few. It's really only off for repairtech's forum, technibble and Kabuto which are whitelisted.