PHP is the OG bad-ass for getting shit done. No setup, no compile, no deployment pipelines. Hell, you can create and write the files right there on the server with nothing more than an SSH terminal if you want.
Yeah I saw OPs explanation in the comments. That is fucking cool! And scary! I’ve never needed to generate images with code before, so Ive never even considered something like this before.
I hate this so much. Its super cool but MAN what the hell. I don’t think I’m going to ever turn off my VPN anymore. I’m in a super small town and that image is correct.
It’s cached somewhere because I can’t get it to update. Maybe time for a new account too. Hmmmm
The user-agent detection definitely isn’t great. If it doesn’t recognize a client, it just says unknown. But that wasn’t the main point of the post anyway, this was just meant as a quick proof of concept for anyone curious.
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)
It would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)
None (by Lemmy), as Lemmy doesn’t actually request the image (that would be proxying). Your browser requests the image directly by URL. Lemmy, technically, doesn’t even know an image exists. It just provides the HTML and lets your browser do the work.
![An external image showing your user-agent and the total “hit count”](https://trilinder.pythonanywhere.com/image.jpg)
I get the same result when I browse directly to the link.
So, if OP links a malcious website we have a problem … (?).
Not really that huge of a problem. When making requests you also usually send a header which includes the user agent.
The program just logs how many times the image has been requested and it reads the user agent data. No Javascript is actually executed.
Well it might be possible to have a XSS somehow but I haven’t really done much research into this possibility.
In general it’s a pretty standard way of handling embedded images. Email does this too. That’s how you have these services that can check if someone read a mail
Yup. And to add, your browser will send things like:
Your IP address. Technically this is sent by the OS doing networking and is unavoidable. At best, a VPN can hide this, because the VPN sits in the middle.
Various basic request headers, which most notably contains user agent (identifies browser) and language headers, both which you can fake if you want to.
Cookies for that domain (if you have any). Those can track you across multiple requests and thus build up a profile of you.
Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)
Another way is by posting an image with a unique URL.
Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client’s request header and your OS’s TCP quirks, and associate that fingerprint with your IP address.
An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.
Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
I suspect with a coordinated pool of posts or multiple comments on the same post, you could narrow that IP address down to an actual user account.
When a new comment is posted by a user, store, against their username, all IP addresses that visited since the last comment in that thread (by anyone). When a second comment is posted by a user, remove any IP addresses that don’t appear in both lists.
I suspect you would have a very short list after two comments, and a single address after 3. It would also be extremely easy to both lure someone into viewing an image and bait them into multiple replies. Geolocate that IP and you know know vaguely where that user lives.
Even without that, once your Lemmy interests are sold/shared by IP address, they can be associated with your real identity as soon as you log in to a service that knows who you are.
Were you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.
It’s just a simple Flask server. I parse the user-agent using the user_agentsPython library, apply some conditionals upon the result, render the image using Pillow and send it to the user.
Proxying external images means that instead of the image being downloaded from the original link, your Lemmy server would download it and serve it for you. The Lemmy server acts as a proxy.
But it means performing a lot of extra traffic. And realistically you’d want to cache the image because otherwise your server will likely get banned for the high volume of requests you send. But caching the images requires more storage and can have potential for legal issues.
And images are one thing, but literally any content is the problem. Images are just the most obvious because they often load without even having to click on the image and thus you’ll get far higher volume of user data. Literally anything you link to has this issue and you cannot proxy all of it.
I would say a user agent spoofer would be more useful for this particular image. The Mozilla team recommends User-Agent Switcher and Manager for Firefox users.
TL;DW: Click on the extension icon, use the drop-down lists to find a browser and OS, select a pre-configured user-agent string from the list, and click “apply (container)” or “apply (all windows)”. Having your user-agent string change randomly with each request is possible but requires writing a bit of JSON in the options.
That’s weird. The extension should definitely work with the image, as that’s what I used when building this quick demo. Does the content of a site like this update?
By not using internet. No, seriously, if you access something over the internet, you will leave tracks. This here post is nothing new or inherently scary on its own. I used to have forum signatures that would tell people what browser they were using or from what IP they were coming.
What you really want to do is disable third party cookies on everything you own. That (and things like hsts super cookies) is what tracks you.
If you’re using an app to browse Lemmy, you might ask for their implementation to reject cookies and fingerprinting attempts when displaying images and other embeddables.
a minute later edit: And yeah, if you don’t like web services to know the IP address given to you by your ISP, VPN is a decent option.
No, seriously, if you access something over the internet, you will leave tracks.
It’s quite the difference between leaving tracks on only one provider’s servers (where your account is hosted), and leaving tracks all over the internet.
There were a few comments under this post about how (easily!) this could be used to find out the IP address and though it the rough location of a commenter.
Lemmy proxying image loads won’t fix this issue at all. Unless you only ever access resources through it, which you won’t. It will even make the problem worse by exposing a single attack surface.
Don’t trust the collection of random internet services to protect interests they are not set out to protect. You wanna hide your IP? Use VPN or Tor.
It’s not nearly as nefarious as people seem to think. Effectively all applications that access web resources send along what they are and basic platform information.
This is part of how the application asks for content in a way that it can handle
It does a little to let you be tracked, but there are other techniques that are far more reliable for that purpose.
I posted this further up, but I think it’s worth pasting here too:
I suspect with a coordinated pool of posts or multiple comments on the same post, you could narrow that IP address down to an actual user account.
When a new comment is posted by a user, store, against their username, all IP addresses that visited since the last comment in that thread (by anyone). When a second comment is posted by a user, remove any IP addresses that don’t appear in both lists.
I suspect you would have a very short list after two comments, and a single address after 3. It would also be extremely easy to both lure someone into viewing an image and bait them into multiple replies. Geolocate that IP and you know know vaguely where that user lives.
Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let’s just say they went AFK quickly after that. Good times!
if you’re using another instance then change the domain or use both rules cause you might end up visiting the others as well. Note that adding this rule wont work unless enable advanced features in ublock origin.
EDIT: THIS MIGHT BREAK THINGS ON YOUR INSTANCE, its recommended to learn how to use dynamic filtering to unbreak it: github.com/…/Dynamic-filtering:-quick-guideIf it breaks stuff just remove that rule.
You could also block it using static filters but I can’t remember how to do that exactly, if you know please reply below.
I’m fine with this. Instances shouldn’t proxy or cache images because it opens instance owners to a lot more liability than text. A client side setting to not load images in comments by default is better.
I feel like there isn’t a real way to fix this, since lemmy isn’t a single service, like I can choose any image host I want. The only way I could think of would be to have your instance download the images but that’s currently not even support on the mastodon alike platforms even. The only thing you can do on Mastodon that I’m aware of is cache the images on your own server which could get costly
Add comment