this post was submitted on 11 Aug 2023
311 points (94.1% liked)

Technology

59710 readers
5603 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 120 points 1 year ago (2 children)

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

[–] [email protected] 100 points 1 year ago (2 children)

The best part is it also works on DMs, so it's trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.

I emailed the lemmy developers about this a few weeks ago since IMHO it's a pretty big security issue, no reply.

[–] [email protected] 43 points 1 year ago (4 children)

I think you're overestimating the value of someone's IP address. Not much one can do with it unless someone really tries to expose themselves.

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago)
  1. If you are planning on hijacking one of their online accounts, then obtaining all possible intel about someone helps to make phishing their other service providers easier. Knowing someone's IP address means you instantly know what city they are in and who their service provider is.

  2. If you are trying to reveal someone's true identity and you have already learned of their IP address through some other means, then this would allow you to reveal their identity on lemmy. Example: an employer already knows the home ip addresses of their employees who work remotely and vpn into the company office. They see someone on lemmy sharing insider info about the company they would rather not have shared and suspect the lemmy user is a disgruntled employee and send them a dm with tracking pixel to verify whether that lemmy user's ip address matches the addresses of any of their employees.

  3. Consider the case of someone thinking they are anonymous and boasting about some activities that might be legally questionable, then consider some law enforcement agency using tracking pixel to get user's ip address. If the lemmy server is outside of jurisdiction they might not be able to subponea the lemmy instance admins for that user's ip address, but now they don't have to. With the IP address they can just subponea the isp to get the user's identity. This could be over criminal activity...or maybe just something like admitting being gay in a country that sentences to death for that.

These are just three examples...there are countless other examples just as bad.

TL/DR: it is a significant security breach to allow 3rd parties the ability to use the platform to expose user's ip addresses, and even worse when it can be targeted at specific users (such as the DM scenerio that is also affected).

[–] [email protected] 20 points 1 year ago (1 children)

Joke's on you, I'm in front of 9 proxies. 🤡

[–] pivot_root 11 points 1 year ago* (last edited 1 year ago) (1 children)

1: DM all admins a spy pixel.

2: Coordinate a mass effort to spam rule-breaking posts and comments at some day.

3: Distributed denial of service attack on all admin IPs on that day.

...

Profit?

[–] [email protected] 1 points 1 year ago (1 children)

I'm on kbin, so tell me: do the images open on their own on Lemmy? If not, then it works like any link one might send, image or not image. The server always can see the IP address, as it was never meant to be secret. This also assumes the admins always use a single network with a single static IP address.

[–] pivot_root 1 points 1 year ago

Embeds are fetched and displayed without user interaction.

This also assumes the admins always use a single network with a single static IP address.

Not really. Send a DM to every single admin of an instance and wait until you get enough collected IP addresses. Pay someone running a botnet to flood those addresses for an hour or two.

Even with a dynamic IP address, you're still stuck with it for a while. If you're lucky, power cycling will get a new one immediately. If you're not you get to enjoy waiting for a day or sitting on hold with your ISP's support number, running through their scripted support process until you finally get to someone capable of helping.

[–] kichimi 5 points 1 year ago

I think you are underestimating it's value. Some residential IPs geolocation is accurate down to the street.

[–] [email protected] 4 points 1 year ago

Didn't knew you can DM on lemmy. Maybe the Jerboa devs have not implemented it yet.

[–] [email protected] 21 points 1 year ago (3 children)
[–] aegis_sum 3 points 1 year ago

Same, I'm using an app.

[–] nomecks 1 points 1 year ago

Firewalled device ftw?

[–] majlitech 1 points 1 year ago
[–] troydowling 74 points 1 year ago (2 children)

"an unknown (mobile?) client"

Well, nice try anyway.

[–] [email protected] 6 points 1 year ago
[–] TheCookieButter 3 points 1 year ago

Same, woo for my security I guess!

[–] [email protected] 26 points 1 year ago (1 children)

You are viewing this from Apple Mail on MacOSX…. Ummm, okay. If you say so…

[–] subtext 14 points 1 year ago

iCloud relay perhaps?

[–] [email protected] 22 points 1 year ago (1 children)
[–] [email protected] 7 points 1 year ago (1 children)

uBlock Origin? NoScript? Internet Explorer?

load more comments (1 replies)
[–] TheGreatFox 16 points 1 year ago (2 children)

It got my OS right, but browser wrong. Tested both Librewolf and Vivaldi, which it sees as Firefox and Chrome.

[–] [email protected] 20 points 1 year ago

This is because librewolf reports itself as firefox for privacy, and vivaldi does the same thing with chrome. Their is no vivaldi string in their user agent.

[–] [email protected] 2 points 1 year ago

That makes sense. Vivaldi uses a chrome user agent most of the time, unless you use a Microsoft service, in which case it uses a Microsoft Edge user agent.

[–] [email protected] 15 points 1 year ago

You are viewing this from a (rand() % 2 == 0) ? "android" : "apple" phone.

[–] nl4real 14 points 1 year ago

The post know where I am because it knows where I am not.

[–] [email protected] 12 points 1 year ago

“You are viewing this from bile Safari”

[–] _e____b 10 points 1 year ago (1 children)

It did not get my setup right. I guess that newsboat+PostmarketOS+Pinephone is exotic enough.

[–] Fuzzypyro 4 points 1 year ago (1 children)

Hello fellow pinephone enjoyer. I haven’t used mine in a while. Has the battery life situation improved much?

[–] _e____b 1 points 1 year ago (1 children)

Not really. I use it without SIM card, with the extra battery housed in the keyboard I have to plug it every 2 days.

[–] Fuzzypyro 2 points 1 year ago
[–] [email protected] 8 points 1 year ago

Right client, wrong operating system. It knows I'm using Leomard, but it thinks I'm on iOS. I suspect it doesn't handle architecture detection well on Apple Silicon machines.

[–] Mezzy 7 points 1 year ago

"You are viewing this from ome Mobile web View on Andr".... Uhhhh... Ok?

[–] PoweredByGeena 7 points 1 year ago

LOL I am viewing in Voyager App and it says I am viewing from “Apple Mail”

[–] Draconic_NEO 6 points 1 year ago (5 children)

Very interesting, I think I'll probably be using Tor for my Lemmy usage from now on, or at least a VPN since this does have the potential to be used maliciously in personal DDoS attacks.

[–] [email protected] 2 points 1 year ago (1 children)

Your IP isn't a secret. There plenty of ways to get it. And this one doesn't even link it to your identity

[–] Draconic_NEO 3 points 1 year ago (1 children)

It's not about identification it's about being disconnected in a DoS by someone with faster internet (until I can get a new one, dynamic IP rotates).

load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 2 points 1 year ago (1 children)

What is the functioning process of this?

[–] [email protected] 11 points 1 year ago

A simple GET request.

load more comments
view more: next ›