1 yr. ago • 93%

This post knows where you're viewing it from (Lemmy doesn't proxy external images) [ARCHIVED]

Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

42 comments

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

108
- The best part is it also works on DMs, so it's trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.
  
  I emailed the lemmy developers about this a few weeks ago since IMHO it's a pretty big security issue, no reply.
  
  91
  
  I think you're overestimating the value of someone's IP address. Not much one can do with it unless someone really tries to expose themselves.
  
  41
  
  Didn't knew you can DM on lemmy. Maybe the Jerboa devs have not implemented it yet.
  
  4
- Not really.
  
  21
  
  Same, I'm using an app.
  
  2
  
  Jerdoa
  
  1
"an unknown (mobile?) client"

Well, nice try anyway.

73
- sPoOky
  
  6
- Same, woo for my security I guess!
  
  3
You are viewing this from Apple Mail on MacOSX…. Ummm, okay. If you say so…

23
- iCloud relay perhaps?
  
  12
21
- uBlock Origin? NoScript? Internet Explorer?
  
  6
  
  Liftoff, and the device has Blokada5 running but it didn't block that.
  
  -1
It got my OS right, but browser wrong. Tested both Librewolf and Vivaldi, which it sees as Firefox and Chrome.

15
- This is because librewolf reports itself as firefox for privacy, and vivaldi does the same thing with chrome. Their is no vivaldi string in their user agent.
  
  17
- That makes sense. Vivaldi uses a chrome user agent most of the time, unless you use a Microsoft service, in which case it uses a Microsoft Edge user agent.
  
  2
You are viewing this from a (rand() % 2 == 0) ? "android" : "apple" phone.

14
“You are viewing this from bile Safari”

11
Right client, wrong operating system. It knows I'm using Leomard, but it thinks I'm on iOS. I suspect it doesn't handle architecture detection well on Apple Silicon machines.

7
Very interesting, I think I'll probably be using Tor for my Lemmy usage from now on, or at least a VPN since this does have the potential to be used maliciously in personal DDoS attacks.

6
- Your IP isn't a secret. There plenty of ways to get it. And this one doesn't even link it to your identity
  
  2
  
  It's not about identification it's about being disconnected in a DoS by someone with faster internet (until I can get a new one, dynamic IP rotates).
  
  3
- Annoyingly, lemmy.world blocks tor. They should host a tor onion service
  
  0
  
  Are you sure about that because I can open and view lemmy.world just fine in Tor, I think what they mean is federation between hidden services i.e. lemmyinstanceoniondomain.onion is blocked or just not implemented.
  
  1
"You are viewing this from ome Mobile web View on Andr".... Uhhhh... Ok?

6
What is the functioning process of this?

2
- A simple GET request.
  
  10
Value isn't updating for me, says it was viewed 14659 times and I've already tried refreshing the page.

2
- Probably the image is cached.
  
  5
  
  I don't think Tor caches images, does it?
  
  -2
- Whatever Software you're using to view this caches the image
  
  2
Permanently Deleted

-6
- Your assumption that doxxing is somehow the only valid privacy/security concern is misguided.
  
  30
  
  Permanently Deleted
  
  4
- This is Lemmy, you are willing to let people know you use windows??
  
  9

You've viewed 42 comments.