Hmm that's actually a good point. I was going to suggest they should tie the picture to a browser rather than an account name, so they can only send the cookies to servers behind the login subdomain -- this would protect you from the attacker requesting the image on your behalf.
Of course the problem with that approach is when you're using different browsers, the image will be different every time.
Maybe a solution would be:
- ask user for username only
- set cookie based on username
- show image associated with account
- ask for password
That should theoretically work on every browser and protect against cross-site requests. Of course this method has its own caveats though.
Edit: never mind. I hadn't thought it through. Of course the attacker can send your username through their page and fetch the image then display it. So the only approach I can think of that would work is tying the image to a browser rather than an account.
Cookies are not arbitrarily sent to any server. If Google has a separate subdomain they use for authentication (say login.google.com), they can instruct your browser to only send the relevant cookie to that subdomain.
Good point, though it sounds like it'd very challenging to train users to notice the absence of a special image... especially when it's normal for that image to disappear whenever they use a different browser or clear cookies.
Of course the problem with that approach is when you're using different browsers, the image will be different every time.
Maybe a solution would be:
- ask user for username only - set cookie based on username - show image associated with account - ask for password
That should theoretically work on every browser and protect against cross-site requests. Of course this method has its own caveats though.
Edit: never mind. I hadn't thought it through. Of course the attacker can send your username through their page and fetch the image then display it. So the only approach I can think of that would work is tying the image to a browser rather than an account.