Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

  • Shadow@lemmy.ca
    link
    fedilink
    English
    arrow-up
    94
    arrow-down
    1
    ·
    1 year ago

    The best part is it also works on DMs, so it’s trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.

    I emailed the lemmy developers about this a few weeks ago since IMHO it’s a pretty big security issue, no reply.

    • TheEntity@kbin.social
      link
      fedilink
      arrow-up
      47
      arrow-down
      6
      ·
      1 year ago

      I think you’re overestimating the value of someone’s IP address. Not much one can do with it unless someone really tries to expose themselves.

      • krayj@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        2
        ·
        edit-2
        1 year ago
        1. If you are planning on hijacking one of their online accounts, then obtaining all possible intel about someone helps to make phishing their other service providers easier. Knowing someone’s IP address means you instantly know what city they are in and who their service provider is.

        2. If you are trying to reveal someone’s true identity and you have already learned of their IP address through some other means, then this would allow you to reveal their identity on lemmy. Example: an employer already knows the home ip addresses of their employees who work remotely and vpn into the company office. They see someone on lemmy sharing insider info about the company they would rather not have shared and suspect the lemmy user is a disgruntled employee and send them a dm with tracking pixel to verify whether that lemmy user’s ip address matches the addresses of any of their employees.

        3. Consider the case of someone thinking they are anonymous and boasting about some activities that might be legally questionable, then consider some law enforcement agency using tracking pixel to get user’s ip address. If the lemmy server is outside of jurisdiction they might not be able to subponea the lemmy instance admins for that user’s ip address, but now they don’t have to. With the IP address they can just subponea the isp to get the user’s identity. This could be over criminal activity…or maybe just something like admitting being gay in a country that sentences to death for that.

        These are just three examples…there are countless other examples just as bad.

        TL/DR: it is a significant security breach to allow 3rd parties the ability to use the platform to expose user’s ip addresses, and even worse when it can be targeted at specific users (such as the DM scenerio that is also affected).

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        1 year ago

        1: DM all admins a spy pixel.

        2: Coordinate a mass effort to spam rule-breaking posts and comments at some day.

        3: Distributed denial of service attack on all admin IPs on that day.

        Profit?

        • TheEntity@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I’m on kbin, so tell me: do the images open on their own on Lemmy? If not, then it works like any link one might send, image or not image. The server always can see the IP address, as it was never meant to be secret. This also assumes the admins always use a single network with a single static IP address.

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Embeds are fetched and displayed without user interaction.

            This also assumes the admins always use a single network with a single static IP address.

            Not really. Send a DM to every single admin of an instance and wait until you get enough collected IP addresses. Pay someone running a botnet to flood those addresses for an hour or two.

            Even with a dynamic IP address, you’re still stuck with it for a while. If you’re lucky, power cycling will get a new one immediately. If you’re not you get to enjoy waiting for a day or sitting on hold with your ISP’s support number, running through their scripted support process until you finally get to someone capable of helping.