Note: This post now archived and as such no longer works
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
targetx ( @targetx@programming.dev ) 41•11 months agoNice example!
I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)
Goddard Guryon ( @goddard_guryon@sopuli.xyz ) 13•11 months agoIt would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)
Muddybulldog ( @muddybulldog@mylemmy.win ) English26•11 months agoNone (by Lemmy), as Lemmy doesn’t actually request the image (that would be proxying). Your browser requests the image directly by URL. Lemmy, technically, doesn’t even know an image exists. It just provides the HTML and lets your browser do the work.
CoderKat ( @CoderKat@lemm.ee ) English3•11 months agoYup. And to add, your browser will send things like:
-
Your IP address. Technically this is sent by the OS doing networking and is unavoidable. At best, a VPN can hide this, because the VPN sits in the middle.
-
Various basic request headers, which most notably contains user agent (identifies browser) and language headers, both which you can fake if you want to.
-
Cookies for that domain (if you have any). Those can track you across multiple requests and thus build up a profile of you.
-
ono ( @ono@lemmy.ca ) English17•11 months agoNotably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)
Another way is by posting an image with a unique URL.
Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client’s request header and your OS’s TCP quirks, and associate that fingerprint with your IP address.
An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.
PoliticalAgitator ( @PoliticalAgitator@lemm.ee ) 4•11 months agoNotably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
I suspect with a coordinated pool of posts or multiple comments on the same post, you could narrow that IP address down to an actual user account.
When a new comment is posted by a user, store, against their username, all IP addresses that visited since the last comment in that thread (by anyone). When a second comment is posted by a user, remove any IP addresses that don’t appear in both lists.
I suspect you would have a very short list after two comments, and a single address after 3. It would also be extremely easy to both lure someone into viewing an image and bait them into multiple replies. Geolocate that IP and you know know vaguely where that user lives.
Time to make sure you’re always on a VPN I guess.
You could also send the image through a DM if you want to find a particular user
PoliticalAgitator ( @PoliticalAgitator@lemm.ee ) 1•11 months agoOh yeah, that’d be much less effort.
ono ( @ono@lemmy.ca ) English3•11 months agoEven without that, once your Lemmy interests are sold/shared by IP address, they can be associated with your real identity as soon as you log in to a service that knows who you are.
lazylion_ca ( @lazylion_ca@lemmy.ca ) 12•11 months agoWere you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.
Seraph ( @Seraph@kbin.social ) 4•11 months agoAny chance that’s why this account is posting the same image and gibberish? @googa
Erika2rsis ( @Erika2rsis@lemmy.blahaj.zone ) English5•11 months agoFrom what I remember, that image was hosted on hexbear.net, so I don’t think so.
SokathHisEyesOpen ( @Anticorp@lemmy.ml ) 2•11 months agoHow do you get an image to run code? I guess I somehow missed something important in website development.
Edit: I saw that you said you’re using Pillow to actually render the image from code. That’s neat! …and scary
roon ( @roon@lemmy.ml ) English1•11 months agoShare source code? I’m curious
It’s just a simple Flask server. I parse the user-agent using the
user_agents
Python library, apply some conditionals upon the result, render the image using Pillow and send it to the user.
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 119•7 months ago[This comment has been deleted by an automated system]
Max ( @max@nano.garden ) 19•11 months agoFinally. Someone noticed 🥹
vithigar ( @vithigar@lemmy.ca ) 16•11 months agoJoke’s on you. IP geolocation where I am is an unreliable mess and your image got it wrong by about 1000km!
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 8•7 months ago[This comment has been deleted by an automated system]
TwinTusks ( @TwinTusks@outpost.zeuslink.net ) English14•11 months agoLocation is right, but I highly doubt anyone near me is using Lemmy (dictatorship here).
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 19•7 months ago[This comment has been deleted by an automated system]
lFenix ( @lFenix@lemmy.ml ) English7•11 months agoI’m not using a VPN or anything and it got my location wrong by 700 kilometers 🤔
RickyRigatoni ( @RickyRigatoni@lemmy.ml ) 18•11 months agoAre you sure you are where you think you are? When’s the last time you looked outside?
TechieDamien ( @TechieDamien@lemmy.ml ) 8•11 months agoOh no! I’ve been kidnapped!
👁️👄👁️ ( @mojo@lemm.ee ) English6•11 months agoWoah this is really cool. Though I was way off for me and I’m not on a VPN right now.
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 4•7 months ago[This comment has been deleted by an automated system]
mim ( @mim@lemmy.sdf.org ) 5•11 months agoThanks for the heads-up.
Routing my Lemmy mobile app through orbot from now on. Seems to have fixed the issue.
Rin ( @Rinnarrae@beehaw.org ) 5•11 months agoI was wondering for a second why my town of all places was posted lmao. Also made me realize I forgot to turn my vpn back on.
SokathHisEyesOpen ( @Anticorp@lemmy.ml ) 4•11 months agoYou can run Geolocation with images now? What the heck? How?
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 19•7 months ago[This comment has been deleted by an automated system]
lightstream ( @lightstream@lemmy.ml ) 8•11 months agoIt’s not the image, it’s a normal image. The server does the hard work when you make the request, and then it just builds the image accordingly.
SokathHisEyesOpen ( @Anticorp@lemmy.ml ) 3•11 months agoYeah I saw OPs explanation in the comments. That is fucking cool! And scary! I’ve never needed to generate images with code before, so Ive never even considered something like this before.
WndyLady ( @WndyLady@lemm.ee ) English4•11 months agoI wonder why the Baltimore community is so dead, then.
kabobglance ( @kabobglance@infosec.pub ) 4•11 months agoYou have the code for this? Very interested in how you implemented it
remotedev ( @remotedev@lemmy.ca ) 4•11 months agoMy location is accurate, to give some good feedback on your program too lol
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 1•7 months ago[This comment has been deleted by an automated system]
Thought about adding the user’s location, but was worried PythonAnywhere could somehow cache the image between multiple people. A great demo though!
LucyLastic ( @LucyLastic@beehaw.org ) 3•11 months agoThis is great, because it located me about a full day’s drive from where I live, so I’m still pretty anonymous :-)
Altima NEO ( @altima_neo@lemmy.zip ) English2•11 months agoHah, not my town, but close. That’s where my ISP is located though.
skankhunt42 ( @skankhunt42@lemmy.ca ) 1•11 months agoI hate this so much. Its super cool but MAN what the hell. I don’t think I’m going to ever turn off my VPN anymore. I’m in a super small town and that image is correct.
It’s cached somewhere because I can’t get it to update. Maybe time for a new account too. Hmmmm
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 1•7 months ago[This comment has been deleted by an automated system]
skankhunt42 ( @skankhunt42@lemmy.ca ) 1•11 months agoYeah, app cache had to be cleared. We good
moitoi ( @moitoi@feddit.de ) 1•11 months agoI’m not using a VPN and the location isn’t accurate.
June ( @June@lemm.ee ) 1•11 months agoIt’s got me about an hour from where I actually am
SokathHisEyesOpen ( @Anticorp@lemmy.ml ) 37•11 months agoOh neat, Jerboa doesn’t identify itself. Cool.
charlytune ( @charlytune@mander.xyz ) 5•11 months agoI get “unknown (mobile?) client” using Jerboa
edric ( @scytale@lemm.ee ) 34•11 months ago- Mlem - knows exactly that it’s Mlem.
- Memmy - sees Mobile Safari webkit.
- Voyager - same as Memmy.
- Thunder - just sees Mobile Client.
moonsnotreal ( @moonsnotreal@lemmy.blahaj.zone ) 26•11 months ago- Jerboa - also just sees a Mobile Client
Zenaida macroura ( @Zenaida_macroura@lemmy.ml ) 12•11 months ago- Infinity for Lemmy - just says Android
Lmaydev ( @Lmaydev@programming.dev ) 8•11 months ago- Connect - also says a mobile client
TheButtonJustSpins ( @TheButtonJustSpins@infosec.pub ) English5•11 months agoSame for Liftoff on Android
1984 ( @1984@lemmy.today ) 16•11 months agoDoesn’t know it’s sync.
roon ( @roon@lemmy.ml ) English3•11 months agoVoyager on Android
Gollum ( @genfood@feddit.de ) 1•11 months ago- Lemmios
Zetaphor ( @Zetaphor@zemmy.cc ) English29•11 months agoSalient demonstration, but if image proxying were to come to Lemmy I’d hope it was made optional, as it could overburden smaller instances, especially one-person instances (like mine). We also need a simple integrated way of configuring object storage.
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 13•7 months ago[This comment has been deleted by an automated system]
ReversalHatchery ( @ReversalHatchery@beehaw.org ) English2•11 months agoA better solution could be having an image proxy as a separate service, and somehow managing a list of proxies that are used for loading the image. Of course the clients themselves would have to deal with choosing to use the proxy… except if the backend serves the proxied image URL instead of the original one (and maybe that too under a new name)
DavyJones ( @DavyJones@lemmy.dbzer0.com ) English29•11 months agoWhat is it supposed to say?
Blizzard ( @Blizzard@lemmy.zip ) English24•11 months agoWhat is it supposed to say?
“You are viewing this from The Black Pearl, Davy Jones.”
Kissaki ( @Kissaki@feddit.de ) English10•11 months agoIt names your browser and OS.
ares35 ( @ares35@kbin.social ) 3•11 months agoit got mine wrong because i change default useragent and platform in the browser.
minorsecond ( @minorsecond@lemm.ee ) English12•11 months agoI’ll be damned. I tried this from three different platforms and you’ve nailed it.
kostel_thecreed ( @kostel_thecreed@lemmy.ca ) 4•11 months agoI’m using Firefox on Mac and it thought I was on windows. Still a big issue though.
Forcen ( @Forcen@lemmy.one ) English11•11 months agoEasiest way to stop this from happening is to use ublock origin to block all third party request on your instance.
One way to do this is via dynamic filtering. This is for advanced users so be sure to read the info page: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering
(Consider backing up your ublock settings before doing this)
If you are using lemmy.ml your rule would be this:
lemmy.ml * 3p block
if you’re using another instance then change the domain or use both rules cause you might end up visiting the others as well. Note that adding this rule wont work unless enable advanced features in ublock origin. EDIT: THIS MIGHT BREAK THINGS ON YOUR INSTANCE, its recommended to learn how to use dynamic filtering to unbreak it: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide If it breaks stuff just remove that rule.
You could also block it using static filters but I can’t remember how to do that exactly, if you know please reply below.
ares35 ( @ares35@kbin.social ) 10•11 months agofor a little extra creepiness, modify the image-generating script to add geoip location data and http referer to the image.
Skull giver ( @skullgiver@popplesburger.hilciferous.nl ) 9•7 months ago[This comment has been deleted by an automated system]
Thought about adding the user’s location, but was worried PythonAnywhere could somehow cache the image between multiple people.
synae[he/him] ( @synae@lemmy.sdf.org ) 10•11 months agoI would’ve hoped that lemmy users on a c called privacy would understand the technology better, but I guess not.
jozo ( @jozo@lemmy.sdf.org ) 10•11 months agoWhat does it say? on jerboa is states that i use unknown mobile client, with infinity, android client. All i have is adaway on my phone
Monkey With A Shell ( @ShellMonkey@lemmy.socdojo.com ) 9•11 months agoEven without instance proxy, it should easy enough on the client side to not pull remote images unless directed to do so, similar to most email clients these days. At least it gives people a warning that they’re passing data to a 3rd party location.
LoudWaterHombre ( @loudWaterEnjoyer@lemmy.dbzer0.com ) 8•11 months agounknown device?
The user-agent detection definitely isn’t great. If it doesn’t recognize a client, it just says unknown. But that wasn’t the main point of the post anyway, this was just meant as a quick proof of concept for anyone curious.
LoudWaterHombre ( @loudWaterEnjoyer@lemmy.dbzer0.com ) 1•11 months agoWhats the point of unknown?
kratoz29 ( @kratoz29@lemm.ee ) English1•11 months agoIt kinda knows.
judas ( @judas@lemmy.ca ) 8•11 months agoMan, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let’s just say they went AFK quickly after that. Good times!
- skymtf ( @skymtf@pricefield.org ) English7•11 months ago
I feel like there isn’t a real way to fix this, since lemmy isn’t a single service, like I can choose any image host I want. The only way I could think of would be to have your instance download the images but that’s currently not even support on the mastodon alike platforms even. The only thing you can do on Mastodon that I’m aware of is cache the images on your own server which could get costly