The HTTP status codes history hack isn’t exactly about finding out if a user has visited a webpage but rather about knowing if he is currently logged into an account at the specified page. This example shows the exploit using Facebook, but it should be possible to port this to quite a lot of other websites requiring a login at some point.
The idea is quite simple: Some pages of a certain website return a different status code if you are not logged into them than they return if you are logged in. For example, my Facebook profile is only visible to people currently logged in to Facebook. In that case my profile page returns a HTTP status code of 200, but if somebody is trying to view my profile without being logged in it will return a 404 error message. And we can find out about this different behaviour with two simple Javascript Events: onload and onerror.
All we need to do is to load the Facebook profile URL in a script tag and attach an onload and an onerror event to it. The onload event will fire if you are logged in, the onerror fires if you are not logged in. Very simple but also very accurate. See the proof of concept below. You might as well log in or out of your Facebook account and reload this page.
Checking your Facebook login status…
And here’s the code:
<script type="text/javascript" src="https://www.facebook.com/people/Jens-Lübberstedt/1009310897" onload="alert('Logged in to Facebook')" onerror="alert('Not logged in to Facebook')"> </script>
The hack works for all versions of Firefox, Chrome and Safari, however it does not work in Internet Explorer or Opera as these browsers won’t fire the attached events.
More examples of this hack’s usage can be found in this article by Mike Cardwell and this post by Jeremiah Grossman.
If you’d like to have a „real“ history hack that tells you if a user has visited a website without requiring him to be logged into it please have a look at my blog post on using an IFrame in a scrollable DIV to read browsing history.
