this post was submitted on 11 Aug 2023
85 points (88.3% liked)

Lemmy

2172 readers
2 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

all 19 comments
sorted by: hot top controversial new old
[–] [email protected] 29 points 1 year ago (1 children)

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

[–] [email protected] 2 points 1 year ago (1 children)

Interesting demo! Does this use the user agent string for identifying clients?

[–] [email protected] 2 points 1 year ago
[–] [email protected] 19 points 1 year ago (1 children)

Unknown mobile client. Yeah, I'm pretty mysterious like that.

[–] [email protected] 3 points 1 year ago

Lol, mysterious and slightly confused (mobile?)

[–] [email protected] 9 points 1 year ago (1 children)

"You are viewing this from Firefox on Windows."

I should worry that this info is exposed?

[–] [email protected] 4 points 1 year ago

Probably not. Every time your web browser makes a request to a server, it always transmits some "user agent" describing itself. By default, it'll be something that boils down to "Safari version X on macOS version Y" or "Firefox version A on Windows version B" or something similar. You can often change your user agent (on desktop browsers at least) of you care.

What can someone do with this specific info? Well, not a huge amount. It can be used as a sort of a fingerprint - the more unique a browser's user agent, the more easy it is to target you as a demographic or individual. It could be used in phishing, to legitimize spam - think, "I know you use Firefox on Windows, you don't want to know what else I know!" But honestly, for the vast majority of people (in my opinion) the reality is that letting the server know your user agent isn't going to be doing much.

To be fair, user agent is one of many ways that remote services can track you and identify you.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

I did not know until now that it is possible to embed external images within posts and replies. I thought the only option was to upload to your instance.

Image

this is bothersome, but if you use a VPN then at least there's that.

image

otherwise it's feasible to track captured addresses based on which posts they read by posting an external image in the post or a reply.

image

if you are seeing images in this post, then your client address is visible to any external image hosts.

[–] [email protected] 7 points 1 year ago (2 children)

Can countermeasures be implemented in the clients to mitigate privacy risks, while not having to proxy images?

[–] [email protected] 3 points 1 year ago (1 children)

no. the remote server will log the requests based on the client address. it is a good argument for using a vpn.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Oh I mean, sure, but I don't think IP logging is the main privacy concern with spy pixels.

I'm assuming this trick uses the user agent string and other request metadata to identify clients. Even if it didn't recognize Jerboa as a client, it did guess that I was on mobile. That's not possible just by tracking IPs, unless they're cross-referencing it with other datasets. Also, I was on VPN anyway, so the IP would have been useless.

It should be possible for clients to obfuscate/fake the metadata of image requests to make tracking with spy pixels less effective.

[–] [email protected] 1 points 1 year ago

Yup, I'm parsing the user agent with the user_agents Python library.

[–] [email protected] 2 points 1 year ago (1 children)

At it's basic level it will capture your IP address, but it won't really tie the IP to a user name, and there's not a role lot you can do with it

Attacks I can think of:

  • target advertising at users in a particular lemmy community
  • get a collection of IP addresses of people with specific problems or beliefs (indicated by membership in a lemmy community) to target with malware

A VPN would protect you in this case, but you need to be a bit of a privacy nut to also protect yourself from things that identify for advertising right now

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

If you wanted to target a specific user, you could always send a DM with the image

[–] [email protected] 1 points 1 year ago

You could also correlate time of your log entry to order of comments sorted by new, with errors from the few clients that don't load images

[–] [email protected] 6 points 1 year ago

Would be interesting to use such an embedded image to acquire some statistics on lemmy users. We could answer questions like: What percentage of lemmy users use Linux?

[–] chuckd 5 points 1 year ago

You are viewing this from an unkown (mobile?) client 🤔