What is it?

Hyperlogout is a website that will log you out from popular internet services that probably implement logout in an unsafe way, such as Amazon, Gmail, Hacker News, Instagram, Spotify and others. See the full list here.

Yes, you’ve probably seen it before. This is a shameless clone of Superlogout, but you can contribute by adding more vulnerable websites.

How does it work?

We try to trigger logout on your behalf by doing GET and POST requests to some services. If those services don’t check whether or not you’re manually doing it, they just terminate your session.

All images, iframes and forms created are hidden to have a cleaner UI. Callbacks attached to their onload handlers are used to remove the elements afterwards, and avoid undesired side effects such as URL redirection.

GET endpoints

On vulnerable websites, we can log you out by doing a simple GET request to the correct endpoint. We try to load an image, but instead of adding a valid image URL, we specify the endpoint as the src attribute:

<img src="http://example.com/logout/">

All example.com cookies are sent along, so the service thinks this is a legit request, and logs you out.

POST endpoints

We create a form with the fields that the endpoint is expecting, attach an iframe as its target and then submit the form. Again, cookies under the target domain are sent, and if the site is not protected, the user session is terminated.

var form = document.createElement('form'),

iframe = document.createElement('iframe'),

input = document.createElement('input'); iframe.name = 'my-iframe';

document.body.appendChild(iframe); form.action = 'http://example.com/logout/';

form.method = 'POST';

form.target = iframe.name; // An input for each parameter must be created and attached to the form

input.type = 'hidden';

input.name = 'action';

input.value = 'logout';

form.appendChild(input); document.body.appendChild(form);

form.submit();

Why should I care?

Imagine that your bank doesn’t really care if you manually trigger a money transfer. It just checks that you have valid source and destination accounts, and enough funds. We could be able to withdraw 10k dollars from your account and transfer it to ours simply by making you visit a site that displays this “image”:

<img src="http://bank.example.com/withdraw?account=John&amount=10000&for=Eduardo">

This is called a Cross-site request forgery exploit. Hyperlogout is a very mild version of this attack, because the logout action is usually not critical and can be left “unprotected”. Although a bunch of services like GitHub, Steam Store or Soundcloud protect it now, maybe because logout can potentially be a vector for other attacks.

References