In all seriousness, all apps and frontends should to implement countermeasures (if they haven’t already) so that you can turn off image previews as needed
The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
There have been tools to generate little images like this that people have been sticking inline in forum posts for decades. Literal decades. The world has not yet caught fire because of that, either.
If you’re old enough, you’ll remember seeing oodles of people’s forum signatures containing a smiley face holding up a sign containing something like this:
In all seriousness, all apps and frontends should to implement countermeasures (if they haven’t already) so that you can turn off image previews as needed
With its current implementation, that feature has a lot of downsides as well.
If you wanted, you could embed tracking pixels all over Lemmy and apps and browsers will happily report who’s reading your posts.
wtf
The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
OK, less magic than expected.
There have been tools to generate little images like this that people have been sticking inline in forum posts for decades. Literal decades. The world has not yet caught fire because of that, either.
If you’re old enough, you’ll remember seeing oodles of people’s forum signatures containing a smiley face holding up a sign containing something like this:
You used to be able to embed arbitrary html in comments, which was awesome and terrifying
That’s crazy, it knows where I live.
im scared
im just south of okotoks, kind of a small world out here.
deleted by creator
yeah i seen your other comment. still kinda funny to me tho. I use a vpn router, multi wan, so not really too worried.
Didn’t new reddit start having that? Never saw it except when not logged in mind you.
It did, but it was a “premium feature” - paying users would have to “boost” a community to alow them to enable this feature.
Only when enough users boosted, the feature became available. And once that threshold was no longer reached, the feature would go away.
…fun. They really took us for granted, eh.
Also it never worked in my third party app and became some stupid placeholder scrapyard, as you couldn’t see the image.
Actually that feature isn’t even that much abused So here is an useless gif