Hey guys, want to get logged out of a bunch of sites?



  • Taken from reddit: https://www.reddit.com/r/InternetIsBeautiful/comments/3l7edb/website_that_will_log_you_out_of_all_your/

    Click to nuke: http://superlogout.com/

    Oh, and i didn't get banned from meta.d during the great purge.

    So much for csrf.



  • The only site on that list I'm logged into is github.com. Note the lack of past tense in the previous sentence.



  • I don't get it. It says "Ok" next to YouTube, but I'm still logged into YouTube...

    Is it broken or...? What's it supposed to do?

    EDIT: oh I guess it logged me off of DeviantArt? So that's one site it works on. I still don't know what "Ok" implies, if it seems to show "Ok" even if it failed to log you out.



  • I love how it tried to log me out of YouTube by doing a post request to http:// that got redirected to https:// and therefore lost.



  • Youtube seems to set the right headers too:

    Load denied by X-Frame-Options: https://www.youtube.com/ does not permit cross-origin framing.

    That was probably a nice demo back when it worked :smile:

    Domain Name: superlogout.com
    [...]
    Creation Date: 2011-07-16T03:35:33Z

    At least some sites and browsers patched their shit since 2011!



  • @blakeyrat said:

    if it seems to show "Ok" even if it failed to log you out.

    I guess "ok" should read "I fired off an HTTP request ¯_(ツ)_/¯"





  • Well, get ready to make fun of me for lacking psychic powers, but maybe a SINGLE GODDAMNED LINE OF TEXT to explain what anything on the site means might be useful.



  • What about this SINGLE GODDAMNED LINE OF TEXT?



  • That doesn't tell me anything. For all I know it's a video game.





  • @Matches said:

    Oh, and i didn't get banned from meta.d during the great purge.

    LOL



  • Wow, it works even better than the original!
    Employed metric: perceived honesty about giving a shit



  • I don't understand the purpose, why not just clear your cookies? Also I'm not comfortable knowing that it's possible for a website to do this kind of thing without my permission, that sounds like CSRF to me.



  • @LB_ said:

    I don't understand the purpose

    @LB_ said:
    that sounds like CSRF to me

    Why did you ask a question and then answer it right away?



  • @LB_ said:

    that sounds like CSRF to me

    It absolutely is. The short list of sites that do it right are most of the sites that people say "it didn't sign me out!" about. There's also a comment in there purporting to be from somebody from Wikipedia saying something like "I thought we already had CSRF protection, let me go fix that".



  • I didn't realize the website was intended to be a proof-of-concept to highlight security flaws, I thought it was intended to be a useful tool despite the fact that it was evil.



  • Well, if other sites go the Discourse way and start bikeshedding the Logout button away as a power user feature, it might start to be...


  • Winner of the 2016 Presidential Election

    <body


  • I remember the old community server days where someone would post <img src="/logout.aspx"> and then the moderators would have a really hard time getting rid of it because Community Server sucked so much.

    But on reflection, if I thought WolfensteinCommunity Server represented an apex of mediocrity in shootersforum software, I must have been severely lacking in imagination back then.



  • @ben_lubar said:

    I remember the old community server days where someone would post <img src="/logout.aspx"> and then the moderators would have a really hard time getting rid of it because Community Server sucked so much.

    Hahaha, joke's on you lot, I never registered on Community Server!



  • I'm a bit disappointed to be honest. I thought it would do something novel like steal my cookies and impersonate me for a while but somethings are just not meant to be.

    Overall four stars.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.