Abusing HTTP Status Codes to Expose Private Information
When you visit my website, I can automatically and silently determine if you’re logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you’re logged into GMail, but would you care if I could tell you’re logged into one or more porn or warez sites? Perhaps oppressive-regime.example.org would like to collect a list of their users who are logged into controversial-website.example.com?
via Bruce Schneier