Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

  • TriLinder@lemmy.mlOP
    131·
    2 years ago

    This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

    Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.

    • targetx@programming.dev
      331·
      2 years ago

      Nice example!

      I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)

    • ono@lemmy.caEnglish
      15·
      2 years ago

      Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.

      One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)

      Another way is by posting an image with a unique URL.

      Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client’s request header and your OS’s TCP quirks, and associate that fingerprint with your IP address.

      An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.

    • lazylion_ca@lemmy.ca
      11·
      2 years ago

      Were you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.

    • SokathHisEyesOpen@lemmy.ml
      1·
      2 years ago

      How do you get an image to run code? I guess I somehow missed something important in website development.

      Edit: I saw that you said you’re using Pillow to actually render the image from code. That’s neat! …and scary

  • rektifier@sh.itjust.works
    29·
    2 years ago

    I’m fine with this. Instances shouldn’t proxy or cache images because it opens instance owners to a lot more liability than text. A client side setting to not load images in comments by default is better.

    • _I_@lemmy.world
      1·
      2 years ago

      Yeah, I’m using Mullvad with misc DNS blockers enabled so it has nothing on me ᕕ( ᐛ )ᕗ

  • judas@lemmy.ca
    8·
    2 years ago

    Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let’s just say they went AFK quickly after that. Good times!

  • WhatAmLemmy@lemmy.worldEnglish
    4·
    2 years ago

    Lemmy clients should really include an option to group or only show the first instance of a link for cases like this; where the same link is posted to multiple places.

  • mub@lemmy.ml
    4·
    2 years ago

    All these people correcting the result effectively giving useful data to improve data collection and detection methods.

    • A_A@lemmy.world
      3·
      2 years ago

      it is because the website providing the image is overloaded and cannot create an image.
      You just have to reload the image and eventually you will see one.