Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

  • TriLinder@lemmy.mlOPEnglish
    85·
    1 year ago

    This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

    Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.

    • Shadow@lemmy.caEnglish
      731·
      1 year ago

      The best part is it also works on DMs, so it’s trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.

      I emailed the lemmy developers about this a few weeks ago since IMHO it’s a pretty big security issue, no reply.

      • TheEntity@kbin.social
        335·
        1 year ago

        I think you’re overestimating the value of someone’s IP address. Not much one can do with it unless someone really tries to expose themselves.

        • krayj@sh.itjust.worksEnglish
          212·
          1 year ago

          1. If you are planning on hijacking one of their online accounts, then obtaining all possible intel about someone helps to make phishing their other service providers easier. Knowing someone’s IP address means you instantly know what city they are in.

          2. If you are trying to reveal someone’s true identity and you have already learned of their IP address through some other means, then this would allow you to reveal their identity on lemmy. Example: an employer already knows the home ip addresses of their employees who work remotely and vpn into the company office. They see someone on lemmy sharing insider info about the company they would rather not have shared and suspect the lemmy user is a disgruntled employee and send them a dm with tracking pixel to verify whether that lemmy user’s ip address matches the addresses of any of their employees.

          3. Consider the case of someone thinking they are anonymous and boasting about some activities that might be legally questionable, then consider some law enforcement agency using tracking pixel to get user’s ip address. If the lemmy server is outside of jurisdiction they might not be able to subponea the lemmy instance admins for that user’s ip address, but now they don’t have to. With the IP address they can just subponea the isp to get the user’s identity. This could be over criminal activity…or maybe just something like admitting being gay in a country that sentences to death for that.

          These are just three examples…there are countless other examples just as bad.

          TL/DR: it is a significant security breach to allow 3rd parties the ability to use the platform to expose user’s ip addresses, and even worse when it can be targeted at specific users (such as the DM scenerio that is also affected).

        • pivot_root@lemmy.worldEnglish
          9·
          1 year ago

          1: DM all admins a spy pixel.

          2: Coordinate a mass effort to spam rule-breaking posts and comments at some day.

          3: Distributed denial of service attack on all admin IPs on that day.

          Profit?

          • TheEntity@kbin.social
            0·
            1 year ago

            I’m on kbin, so tell me: do the images open on their own on Lemmy? If not, then it works like any link one might send, image or not image. The server always can see the IP address, as it was never meant to be secret. This also assumes the admins always use a single network with a single static IP address.

  • Porrny@lemmynsfw.comEnglish
    201·
    1 year ago

    You are viewing this from Apple Mail on MacOSX…. Ummm, okay. If you say so…

  • Steeve@lemmy.caEnglish
    13·
    1 year ago

    You are viewing this from a (rand() % 2 == 0) ? "android" : "apple" phone.

  • Deez@lemm.eeEnglish
    101·
    1 year ago

    “You are viewing this from bile Safari”

  • Artair Geal@pawb.socialEnglish
    6·
    1 year ago

    Right client, wrong operating system. It knows I’m using Leomard, but it thinks I’m on iOS. I suspect it doesn’t handle architecture detection well on Apple Silicon machines.

  • Draconic NEO@lemmy.worldEnglish
    31·
    1 year ago

    Very interesting, I think I’ll probably be using Tor for my Lemmy usage from now on, or at least a VPN since this does have the potential to be used maliciously in personal DDoS attacks.

    • Mubelotix@jlai.luEnglish
      52·
      1 year ago

      Your IP isn’t a secret. There plenty of ways to get it. And this one doesn’t even link it to your identity