cross-posted from: https://lemmy.today/post/25826615

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one’s client software or browser through a VPN.

I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    96
    ·
    edit-2
    23 hours ago

    If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.

    Tesseract dev here.

    For what it’s worth, I went back through and checked my DMs from “Nicole” and they’re all uploads directly to the home instance the DM came from (e.g. they went through pict-rs, and only the instance admins would be able to see the client IPs in their access logs). So, this doesn’t seem like a de-anonymization attack, though all it would take is “Nicole” to start hosting the images somewhere they control to achieve that effect.

    Safety Precautions Available in Tesseract

    Use Tesseract’s Image Proxy

    It has the ability to proxy images (separately / better than the Lemmy built-in method) both local and remote (e.g. to outside image hosts). The hosted instance (tesseract.dubvee.org) has that enabled but each user must enable it in settings (Settings --> Media -> Proxy Images).

    For Tesseract installs run by other instances, it would need the server-side component enabled by the instance admins before the user setting will show up to be enabled by the user.

    If you see the “Proxy Images” options in Settings -> Media, then the admins have enabled the server-side component. If not, you’ll need to ask the admins to configure/enable media proxying. If you’re self-hosting it, then it may not provide any additional privacy unless you’re running it in a cloud server or somewhere other than where you’re accessing it.

    Disable Inline Images

    It also has the option to disable inline images (Settings -> Post and Comments -> Inline Images). I’ve confirmed this also works for DMs. With inline images disabled, instead of the image, the alt text, if available, will be linked to the image. If no alt text, then the image URL will be a clickable link. In either case, clicking the image link will load it in a modal on-demand.

    Coming Soon (Released Just Now in 1.4.32)

    After reading this post, as a precaution, I’m going to push out a hotfix (hopefully this evening) that will disable inline images in DMs by default. If someone you trust DMs you, you can just click on the image link to view it in a modal (like any other link preview).

    Testing this feature now and should have it released this evening. Works like email clients when you disable inline images; a button/switch will appear at the top if it detects there are images / media embedded which will allow you to show the images; defaults to off.

    Tesseract DM view with inline images disabled by default

    Tesseract DM view with inline images enabled per-message

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        20
        ·
        1 day ago

        Not to be snarky (ok, a little snarky lol), but I don’t see the Lemmy devs stepping up to do anything about this. Still can’t even delete DMs.

        • wjs018@piefed.social
          link
          fedilink
          English
          arrow-up
          4
          ·
          17 hours ago

          Wow, I hadn’t realized until you pointed it out that you can’t delete pm’s (I guess without getting admins to fiddle with the db). I still use my lemmy account to moderate some lemmy communities, but I am appreciating using piefed as my threadiverse consumption platform more and more.

          • Admiral Patrick@dubvee.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 hours ago

            Yeah, I’m actually planning to see about trying to migrate from Lemmy to Piefed (as an instance). Rimu said it’s technically possible but will need some manual work to ETL the data over. Hoping to start poking around and making some attempts soon-ish. Right now, still just doing my homework and familiarizing myself with Piefed.

              • Admiral Patrick@dubvee.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                5 hours ago

                Already working on plans to attempt to migrate my instance to a Piefed backend. Gonna take some doing/experimentation, but hopefully will be able to share the knowledge learned (and, ideally, a migration script).

            • rozlav@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              4
              ·
              20 hours ago

              Those devs meaning ? If there are any issues or links that can make me understand this I would like to know thank you (o・ω・o)

              • Admiral Patrick@dubvee.org
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                1
                ·
                edit-2
                20 hours ago

                It’s a long history of Github, Lemmy, and admin chat interactions that culminate in my desire to never willingly interact with them again. It’s just too much and too off-topic to post here.

              • hakase@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                3
                ·
                20 hours ago

                The Lemmy devs are outspoken tankies, so I’d understand why people would be reluctant to work directly with them.