this post was submitted on 11 Aug 2023
599 points (96.6% liked)

Privacy

31978 readers
238 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

top 50 comments
sorted by: hot top controversial new old
[–] TriLinder@lemmy.ml 199 points 1 year ago (11 children)

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

[–] targetx@programming.dev 59 points 1 year ago (1 children)

Nice example!

I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I'm missing something :-)

[–] goddard_guryon@sopuli.xyz 17 points 1 year ago* (last edited 1 year ago) (1 children)

It would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)

[–] muddybulldog@mylemmy.win 36 points 1 year ago* (last edited 1 year ago) (3 children)

None (by Lemmy), as Lemmy doesn't actually request the image (that would be proxying). Your browser requests the image directly by URL. Lemmy, technically, doesn't even know an image exists. It just provides the HTML and lets your browser do the work.

[–] A_A@lemmy.world 17 points 1 year ago* (last edited 1 year ago) (2 children)

Exactly. The text of this post is simply :

![An external image showing your user-agent and the total "hit count"](https://trilinder.pythonanywhere.com/image.jpg)
I get the same result when I browse directly to the link.

So, if OP links a malcious website we have a problem ... (?).

[–] goddard_guryon@sopuli.xyz 10 points 1 year ago (1 children)

Oh dangit, it's simpler than I thought. So the only data being sent is...just whatever is sent in your average GET request.

[–] newIdentity@sh.itjust.works 13 points 1 year ago

Yes. It's also a pretty standard way of serving images. A lot of Email clients do that too.

That's also how these services that show you when a email is read work.

load more comments (1 replies)
load more comments (2 replies)
[–] ono@lemmy.ca 24 points 1 year ago* (last edited 1 year ago) (4 children)

Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.

One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)

Another way is by posting an image with a unique URL.

Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client's request header and your OS's TCP quirks, and associate that fingerprint with your IP address.

An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.

load more comments (4 replies)
[–] lazylion_ca@lemmy.ca 17 points 1 year ago

Were you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.

load more comments (8 replies)
[–] skullgiver@popplesburger.hilciferous.nl 170 points 1 year ago* (last edited 11 months ago) (39 children)

[This comment has been deleted by an automated system]

[–] max@nano.garden 28 points 1 year ago

Finally. Someone noticed 🥹

[–] vithigar@lemmy.ca 26 points 1 year ago (1 children)

Joke's on you. IP geolocation where I am is an unreliable mess and your image got it wrong by about 1000km!

[–] skullgiver@popplesburger.hilciferous.nl 13 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

[–] TwinTusks@outpost.zeuslink.net 21 points 1 year ago (2 children)

Location is right, but I highly doubt anyone near me is using Lemmy (dictatorship here).

[–] skullgiver@popplesburger.hilciferous.nl 26 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (1 replies)
[–] icepuncher69@sh.itjust.works 10 points 1 year ago

Great, hot milfs near my location

load more comments (35 replies)
[–] Anticorp@lemmy.ml 56 points 1 year ago (2 children)

Oh neat, Jerboa doesn't identify itself. Cool.

[–] Automated_Footprint@sh.itjust.works 16 points 1 year ago* (last edited 1 year ago)

Same on Sync (You are viewing this from an unknown (mobile?) client)

And on infinity (You are viewing this from Android)

[–] charlytune@mander.xyz 12 points 1 year ago

I get "unknown (mobile?) client" using Jerboa

[–] rektifier@sh.itjust.works 55 points 1 year ago* (last edited 1 year ago) (1 children)

I'm fine with this. Instances shouldn't proxy or cache images because it opens instance owners to a lot more liability than text. A client side setting to not load images in comments by default is better.

load more comments (1 replies)
[–] scytale@lemm.ee 51 points 1 year ago* (last edited 1 year ago) (5 children)
  • Mlem - knows exactly that it’s Mlem.
  • Memmy - sees Mobile Safari webkit.
  • Voyager - same as Memmy.
  • Thunder - just sees Mobile Client.
[–] moonsnotreal@lemmy.blahaj.zone 34 points 1 year ago (3 children)
  • Jerboa - also just sees a Mobile Client
[–] Zenaida_macroura@lemmy.ml 16 points 1 year ago
  • Infinity for Lemmy - just says Android
[–] Lmaydev@programming.dev 11 points 1 year ago* (last edited 1 year ago) (1 children)
  • Connect - also says a mobile client
load more comments (1 replies)
load more comments (1 replies)
[–] 1984 25 points 1 year ago

Doesn't know it's sync.

load more comments (3 replies)
[–] DavyJones@lemmy.dbzer0.com 37 points 1 year ago (2 children)

What is it supposed to say?

[–] Blizzard@lemmy.zip 33 points 1 year ago

What is it supposed to say?

"You are viewing this from The Black Pearl, Davy Jones."

[–] Kissaki@feddit.de 16 points 1 year ago (1 children)

It names your browser and OS.

load more comments (1 replies)
[–] Zetaphor@zemmy.cc 34 points 1 year ago (2 children)

Salient demonstration, but if image proxying were to come to Lemmy I'd hope it was made optional, as it could overburden smaller instances, especially one-person instances (like mine). We also need a simple integrated way of configuring object storage.

[–] skullgiver@popplesburger.hilciferous.nl 14 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (1 replies)
[–] Forcen@lemmy.one 19 points 1 year ago* (last edited 1 year ago)

Easiest way to stop this from happening is to use ublock origin to block all third party request on your instance.

One way to do this is via dynamic filtering. This is for advanced users so be sure to read the info page: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering

(Consider backing up your ublock settings before doing this)

If you are using lemmy.ml your rule would be this:

lemmy.ml * 3p block

if you're using another instance then change the domain or use both rules cause you might end up visiting the others as well. Note that adding this rule wont work unless enable advanced features in ublock origin.

EDIT: THIS MIGHT BREAK THINGS ON YOUR INSTANCE, its recommended to learn how to use dynamic filtering to unbreak it: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide If it breaks stuff just remove that rule.

You could also block it using static filters but I can't remember how to do that exactly, if you know please reply below.

[–] minorsecond@lemm.ee 16 points 1 year ago (4 children)

I'll be damned. I tried this from three different platforms and you've nailed it.

load more comments (4 replies)
[–] coffeeguy@lemmy.world 16 points 1 year ago

VPN using Librewolf user checking in. This post got nothing on me.

[–] CookieJarObserver@sh.itjust.works 15 points 1 year ago (1 children)
load more comments (1 replies)
[–] synae@lemmy.sdf.org 14 points 1 year ago

I would've hoped that lemmy users on a c called privacy would understand the technology better, but I guess not.

[–] jozo@lemmy.sdf.org 13 points 1 year ago

What does it say? on jerboa is states that i use unknown mobile client, with infinity, android client. All i have is adaway on my phone

[–] ares35@kbin.social 12 points 1 year ago (2 children)

for a little extra creepiness, modify the image-generating script to add geoip location data and http referer to the image.

[–] skullgiver@popplesburger.hilciferous.nl 10 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (1 replies)
[–] judas@lemmy.ca 11 points 1 year ago

Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let's just say they went AFK quickly after that. Good times!

[–] ShellMonkey@lemmy.socdojo.com 10 points 1 year ago* (last edited 1 year ago) (3 children)

Even without instance proxy, it should easy enough on the client side to not pull remote images unless directed to do so, similar to most email clients these days. At least it gives people a warning that they're passing data to a 3rd party location.

load more comments (3 replies)
[–] loudWaterEnjoyer@lemmy.dbzer0.com 10 points 1 year ago (7 children)
load more comments (7 replies)
load more comments
view more: next ›