This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
The best part is it also works on DMs, so it’s trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.
I emailed the lemmy developers about this a few weeks ago since IMHO it’s a pretty big security issue, no reply.
I think you’re overestimating the value of someone’s IP address. Not much one can do with it unless someone really tries to expose themselves.
-
If you are planning on hijacking one of their online accounts, then obtaining all possible intel about someone helps to make phishing their other service providers easier. Knowing someone’s IP address means you instantly know what city they are in.
-
If you are trying to reveal someone’s true identity and you have already learned of their IP address through some other means, then this would allow you to reveal their identity on lemmy. Example: an employer already knows the home ip addresses of their employees who work remotely and vpn into the company office. They see someone on lemmy sharing insider info about the company they would rather not have shared and suspect the lemmy user is a disgruntled employee and send them a dm with tracking pixel to verify whether that lemmy user’s ip address matches the addresses of any of their employees.
-
Consider the case of someone thinking they are anonymous and boasting about some activities that might be legally questionable, then consider some law enforcement agency using tracking pixel to get user’s ip address. If the lemmy server is outside of jurisdiction they might not be able to subponea the lemmy instance admins for that user’s ip address, but now they don’t have to. With the IP address they can just subponea the isp to get the user’s identity. This could be over criminal activity…or maybe just something like admitting being gay in a country that sentences to death for that.
These are just three examples…there are countless other examples just as bad.
TL/DR: it is a significant security breach to allow 3rd parties the ability to use the platform to expose user’s ip addresses, and even worse when it can be targeted at specific users (such as the DM scenerio that is also affected).
-
Joke’s on you, I’m in front of 9 proxies. 🤡
Didn’t knew you can DM on lemmy. Maybe the Jerboa devs have not implemented it yet.
Not really.
Jerdoa
You are viewing this from Apple Mail on MacOSX…. Ummm, okay. If you say so…
iCloud relay perhaps?
uBlock Origin? NoScript? Internet Explorer?
Liftoff, and the device has Blokada5 running but it didn’t block that.
You are viewing this from a
(rand() % 2 == 0) ? "android" : "apple"phone.The post know where I am because it knows where I am not.
“You are viewing this from bile Safari”
Very interesting, I think I’ll probably be using Tor for my Lemmy usage from now on, or at least a VPN since this does have the potential to be used maliciously in personal DDoS attacks.
Your IP isn’t a secret. There plenty of ways to get it. And this one doesn’t even link it to your identity
It’s not about identification it’s about being disconnected in a DoS by someone with faster internet (until I can get a new one, dynamic IP rotates).
DoS is expensive. Who the hell would spend money just to get you disconnected? Nobody cares about your connection
Annoyingly, lemmy.world blocks tor. They should host a tor onion service
Are you sure about that because I can open and view lemmy.world just fine in Tor, I think what they mean is federation between hidden services i.e. lemmyinstanceoniondomain.onion is blocked or just not implemented.
I can if I use a browser and solve the cloud flare capt ha, but not if I use sync behind tor
I haven’t gotten Cloudflare captchas on lemmy.world yet, Haven’t tried using an app with Tor, as a general rule it’s best to use Tor through the browser since it has features to reduce fingerprinting and MITMs
Right client, wrong operating system. It knows I’m using Leomard, but it thinks I’m on iOS. I suspect it doesn’t handle architecture detection well on Apple Silicon machines.
deleted by creator
Your assumption that doxxing is somehow the only valid privacy/security concern is misguided.
This is Lemmy, you are willing to let people know you use windows??
Removed by mod
Probably the image is cached.
Removed by mod
What is the functioning process of this?
A simple GET request.
