cross-posted from: https://lemmy.today/post/25826615
For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.
Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.
In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.
It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:
https://github.com/LemmyNet/lemmy/issues/1036
I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:
https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png
I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.
Another mitigation would be to route one’s client software or browser through a VPN.
I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.
In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.
My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.
If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.
I mean for most users worldwide, the IP changes every 24h or so, maybe every few days. So I doubt it’s of great value unless you have access to another big database of current logins to match this against. And if you already have that database, I don’t see the value of recording the IP again. Only added info is that the user uses Lemmy, if there isn’t any identifier in the image URL.
That doesn’t stop data brokers profiling. One login (into ESPN to update your fantasy team, or into one of your utility providers) from the new IP and all they know about you from the old IP maps to the new one. If you use your ISP’s router they are prob even selling history from the private IPs inside your network.
Uh, I don’t think recording internal IPs would be legal where I live. But yeah, my ISP sends me bills every month, they know exactly how much data I use and where I live. My router runs my own Linux (OpenWRT), though.
And sure, that’s exactly why I personally am worried about the advertisement and tracking platforms. Those definitely make a living by connecting every minor detail. And they have more available like Browser fingerprints, device identifiers if you forgot to disable the advertisement id on your phone…
I wouldn’t necessarily trust that. I have used Xfinity for a long time and my IP address often went months without changing.
Yeah, I heard it’s different with some providers in north america. But then again, it’s not very straightforward to track which IPs belong to which provider, in which timespans they get renewed and then match that to other info.
Could it potentially be enough to find location - like even if not city, then state or at least country?
And ofc not just these Nicole pics, but any pics at all, across the entire Fediverse. Worse, upload it via posting to a small community with like 5-10 subscribers and get the IPs of all of those who see the content (by downloading the image from your self-hosted server), then correlate with comments in it to map to usernames (I mean narrow down the list to those 5-10 accounts).
I suppose it is fortunate that there aren’t any totalitarian regimes anywhere in the world that might be interested in keeping tabs on who isn’t using corporate enshittified platforms… Like surely Musk won’t deny visas to people in the USA who use Lemmy, r-r-right??? (Or deny employment even to people working for corporations that even so much as have a contract with the USA government, regardless of whether the person in question is actually working on it or not, or are even aware that their company has such contracts at all?).
I think we may need to expect the worst, moving forward, then be pleasantly surprised if it doesn’t happen, rather than 100% count on the best happen for certain, like our very lives depended upon it.
@rimu@piefed.social how does PieFed fare in this regard?
Location would be possible. For me it’s a few 100km off, but usually the GeoIP databases are more accurate.
Piefed doesn’t do much image caching or proxying. It only keeps thumbnails around. Once you open a post with more than a thumbnail in it (a full picture), your IP is revealed to the image hoster.
Not great. PieFed does not make a local copy of inline images, like Lemmy sometimes does.
This makes me worried to click on certain post titles that I’ve seen lately… Edit: on the bright side, PieFed doesn’t include words in its titles, just numbers, so that might offer a bit of protection, for keyword scanners built to work for Lemmy.
Would using a proxy be sufficient?
If that were true in general, wikipedia would not bother blocking IPs.
Sure, back when I was young enough to do really stupid “pranks”, we tried to vandalize Wikipedia once or twice. You get banned and re-try one day later. That’s kind of how it works with IP bans. But it gets rid of 99% of people who aren’t super persistent. And that’s enough. And also why they do it even if it’s not “perfect”. Our school had one static IP for the entire computer room, so over there Wikipedia wouldn’t accept edits for a whole week or two, until the ban properly expired.