Privacy @lemmy.ml

1y ago

ARCHIVED

This post knows where you're viewing it from (Lemmy doesn't proxy external images) [ARCHIVED]

Note: This post now archived and as such no longer works

143 comments

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.
- Nice example!
  I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I'm missing something :-)
  
  It would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)
- Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
  One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)
  Another way is by posting an image with a unique URL.
  Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client's request header and your OS's TCP quirks, and associate that fingerprint with your IP address.
  An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.
  
  Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
  I suspect with a coordinated pool of posts or multiple comments on the same post, you could narrow that IP address down to an actual user account.
  When a new comment is posted by a user, store, against their username, all IP addresses that visited since the last comment in that thread (by anyone). When a second comment is posted by a user, remove any IP addresses that don't appear in both lists.
  I suspect you would have a very short list after two comments, and a single address after 3. It would also be extremely easy to both lure someone into viewing an image and bait them into multiple replies. Geolocate that IP and you know know vaguely where that user lives.
  Time to make sure you're always on a VPN I guess.
- Were you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.
- Any chance that's why this account is posting the same image and gibberish? @googa
  
  From what I remember, that image was hosted on hexbear.net, so I don't think so.
- How do you get an image to run code? I guess I somehow missed something important in website development.
  Edit: I saw that you said you're using Pillow to actually render the image from code. That's neat! ...and scary
- Share source code? I'm curious
  
  It's just a simple Flask server. I parse the user-agent using the user_agents Python library, apply some conditionals upon the result, render the image using Pillow and send it to the user.

[This comment has been deleted by an automated system]
- Finally. Someone noticed 🥹
- Joke's on you. IP geolocation where I am is an unreliable mess and your image got it wrong by about 1000km!
  
  [This comment has been deleted by an automated system]
- Location is right, but I highly doubt anyone near me is using Lemmy (dictatorship here).
  
  [This comment has been deleted by an automated system]
- Great, hot milfs near my location
- I’m not using a VPN or anything and it got my location wrong by 700 kilometers 🤔
  
  Are you sure you are where you think you are? When's the last time you looked outside?
- Woah this is really cool. Though I was way off for me and I'm not on a VPN right now.
  
  [This comment has been deleted by an automated system]
- Thanks for the heads-up.
  Routing my Lemmy mobile app through orbot from now on. Seems to have fixed the issue.
- I wonder why the Baltimore community is so dead, then.
- You can run Geolocation with images now? What the heck? How?
  
  [This comment has been deleted by an automated system]
  
  It's not the image, it's a normal image. The server does the hard work when you make the request, and then it just builds the image accordingly.
- My location is accurate, to give some good feedback on your program too lol
  
  [This comment has been deleted by an automated system]
- You have the code for this? Very interested in how you implemented it
- I was wondering for a second why my town of all places was posted lmao. Also made me realize I forgot to turn my vpn back on.
- Thought about adding the user's location, but was worried PythonAnywhere could somehow cache the image between multiple people. A great demo though!
- This is great, because it located me about a full day's drive from where I live, so I'm still pretty anonymous :-)
- Hah, not my town, but close. That's where my ISP is located though.
- I'm not using a VPN and the location isn't accurate.
- It’s got me about an hour from where I actually am
- Hey. I wanted to do this tomorrow.
  Well I have a new idea which is pretty similar
  
  [This comment has been deleted by an automated system]
- I hate this so much. Its super cool but MAN what the hell. I don't think I'm going to ever turn off my VPN anymore. I'm in a super small town and that image is correct.
  It's cached somewhere because I can't get it to update. Maybe time for a new account too. Hmmmm
  
  [This comment has been deleted by an automated system]

I'm fine with this. Instances shouldn't proxy or cache images because it opens instance owners to a lot more liability than text. A client side setting to not load images in comments by default is better.
- Each instance stores post thumbnails locally even if the post was on another server. It actually takes up quite a bit of hdd space.

Oh neat, Jerboa doesn't identify itself. Cool.
- Same on Sync (You are viewing this from an unknown (mobile?) client)
  And on infinity (You are viewing this from Android)
- I get "unknown (mobile?) client" using Jerboa

Mlem - knows exactly that it’s Mlem.
Memmy - sees Mobile Safari webkit.
Voyager - same as Memmy.
Thunder - just sees Mobile Client.
- Jerboa - also just sees a Mobile Client
  
  Infinity for Lemmy - just says Android
  
  Connect - also says a mobile client
  
  My connection says that im viewing it from a unknown device
- Doesn't know it's sync.
- Voyager on Android
  
  Which would be correct as Voyager is a Web App
- Lemmios

What is it supposed to say?
- What is it supposed to say?
  "You are viewing this from The Black Pearl, Davy Jones."
- It names your browser and OS.
  
  it got mine wrong because i change default useragent and platform in the browser.

Salient demonstration, but if image proxying were to come to Lemmy I'd hope it was made optional, as it could overburden smaller instances, especially one-person instances (like mine). We also need a simple integrated way of configuring object storage.
- [This comment has been deleted by an automated system]
- A better solution could be having an image proxy as a separate service, and somehow managing a list of proxies that are used for loading the image. Of course the clients themselves would have to deal with choosing to use the proxy.. except if the backend serves the proxied image URL instead of the original one (and maybe that too under a new name)

Easiest way to stop this from happening is to use ublock origin to block all third party request on your instance.
One way to do this is via dynamic filtering. This is for advanced users so be sure to read the info page: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering
(Consider backing up your ublock settings before doing this)
If you are using lemmy.ml your rule would be this:
undefined

lemmy.ml * 3p block
if you're using another instance then change the domain or use both rules cause you might end up visiting the others as well. Note that adding this rule wont work unless enable advanced features in ublock origin.
EDIT: THIS MIGHT BREAK THINGS ON YOUR INSTANCE, its recommended to learn how to use dynamic filtering to unbreak it: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide If it breaks stuff just remove that rule.
You could also block it using static filters but I can't remember how to do that exactly, if you know please reply below.

I'll be damned. I tried this from three different platforms and you've nailed it.
- I'm using Firefox on Mac and it thought I was on windows. Still a big issue though.
  
  It said I'm on Mac OS X, but that's wrong. It's been macOS for some years now. /s
  It still makes me wanna cry.

VPN using Librewolf user checking in. This post got nothing on me.

- Yeah, I'm using Mullvad with misc DNS blockers enabled so it has nothing on me ᕕ( ᐛ )ᕗ

I would've hoped that lemmy users on a c called privacy would understand the technology better, but I guess not.

What does it say? on jerboa is states that i use unknown mobile client, with infinity, android client. All i have is adaway on my phone

for a little extra creepiness, modify the image-generating script to add geoip location data and http referer to the image.
- [This comment has been deleted by an automated system]
- Thought about adding the user's location, but was worried PythonAnywhere could somehow cache the image between multiple people.

Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let's just say they went AFK quickly after that. Good times!

unknown device?
- unkown
  
  Oh, how did I not notice that before? Now should be fixed.
  
  The unkown sounds pretty fucking scary to me
- The user-agent detection definitely isn’t great. If it doesn't recognize a client, it just says unknown. But that wasn't the main point of the post anyway, this was just meant as a quick proof of concept for anyone curious.
  
  Whats the point of unknown?
- It kinda knows.

Even without instance proxy, it should easy enough on the client side to not pull remote images unless directed to do so, similar to most email clients these days. At least it gives people a warning that they're passing data to a 3rd party location.
- That's pretty stupid for a platform mainly based on images.
  
  Maybe, but on the flip side though, as an instance owner, I don't nessecarily want my node to be in the logs acessing questionable content on behalf of the end user.

Image proxies are a must have, let's hope we get those soon!

I feel like there isn't a real way to fix this, since lemmy isn't a single service, like I can choose any image host I want. The only way I could think of would be to have your instance download the images but that's currently not even support on the mastodon alike platforms even. The only thing you can do on Mastodon that I'm aware of is cache the images on your own server which could get costly

- I got mobile client from Liftoff.

Hey FBI dude, I'm jerkin' it, can you gimme some time alone?

All these people correcting the result effectively giving useful data to improve data collection and detection methods.

Holy shit. How do we avoid this? VPN?
- By not using internet. No, seriously, if you access something over the internet, you will leave tracks. This here post is nothing new or inherently scary on its own. I used to have forum signatures that would tell people what browser they were using or from what IP they were coming.
  What you really want to do is disable third party cookies on everything you own. That (and things like hsts super cookies) is what tracks you.
  If you’re using an app to browse Lemmy, you might ask for their implementation to reject cookies and fingerprinting attempts when displaying images and other embeddables.
  a minute later edit: And yeah, if you don’t like web services to know the IP address given to you by your ISP, VPN is a decent option.
  
  No, seriously, if you access something over the internet, you will leave tracks.
  It's quite the difference between leaving tracks on only one provider's servers (where your account is hosted), and leaving tracks all over the internet.
  There were a few comments under this post about how (easily!) this could be used to find out the IP address and though it the rough location of a commenter.
- I would say a user agent spoofer would be more useful for this particular image. The Mozilla team recommends User-Agent Switcher and Manager for Firefox users.
  
  Where can I learn more about using this Firefox extension? I've installed it, but it hasn't changed the results of (https://trilinder.pythonanywhere.com/image.jpg).
  I see I am able to black list pythonanywhere.com.
- It's not nearly as nefarious as people seem to think. Effectively all applications that access web resources send along what they are and basic platform information.
  This is part of how the application asks for content in a way that it can handle
  It does a little to let you be tracked, but there are other techniques that are far more reliable for that purpose.
  
  I posted this further up, but I think it's worth pasting here too:
  I suspect with a coordinated pool of posts or multiple comments on the same post, you could narrow that IP address down to an actual user account.
  When a new comment is posted by a user, store, against their username, all IP addresses that visited since the last comment in that thread (by anyone). When a second comment is posted by a user, remove any IP addresses that don't appear in both lists.
  I suspect you would have a very short list after two comments, and a single address after 3. It would also be extremely easy to both lure someone into viewing an image and bait them into multiple replies. Geolocate that IP and you know know vaguely where that user lives.
  Time to make sure you're always on a VPN I guess.
- Next DNS Blocks it apparently.
  
  Wow! But mine didn't. Which filter lists are you using?
- I’m using a VPN, and the picture knows everything about me regardless.

Jokes on you! I use a Firefox extension that spoofs my browser profile. https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/

Lemmy clients should really include an option to group or only show the first instance of a link for cases like this; where the same link is posted to multiple places.

So what is happening if I don't see an image?
- it is because the website providing the image is overloaded and cannot create an image.
  You just have to reload the image and eventually you will see one.

User Agent Switcher and Manager

The image doesn't load on alexandrite

Whoa I m totally pigged out

143 comments