cross-posted from: https://lemmy.today/post/25826615

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one’s client software or browser through a VPN.

I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.

  • blazeknave@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    4 hours ago

    Has anyone raised the argument that the “plus” of Lemmy being public and detailed to the vote and forever, is a “negative”?

    • tfm@europe.pubOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 hours ago

      Just by loading the image in the DM.

      But to be clear. All they get at most is your IP address. That’s not worth much alone.

      There is a setting that prevents sending the IP address by caching the image. lemmy.world should definitely enable that. They don’t do that right now, unfortunately.

  • Matt@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 hours ago

    Isn’t it anonymized? Because when I posted a blog post to a community and I headed to Blogger analytics, I saw a bunch of views from OpenGraph. AFAIK this is from scrolling on Lemmy.

    • tfm@europe.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 hours ago

      It depends on the instance configuration. If images are proxied, no traffic should show up.

  • prole@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    14
    ·
    18 hours ago

    Thanks, i just doubled checked to make sure my VPN was on for my phone as well… I got fourteen of them today. That’s… Weird.

    • limer@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      15 hours ago

      Sounds more like a self replicating malware somewhere, probably in some totally unrelated Wordpress plugin on unrelated sites scattered about

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    96
    ·
    edit-2
    23 hours ago

    If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.

    Tesseract dev here.

    For what it’s worth, I went back through and checked my DMs from “Nicole” and they’re all uploads directly to the home instance the DM came from (e.g. they went through pict-rs, and only the instance admins would be able to see the client IPs in their access logs). So, this doesn’t seem like a de-anonymization attack, though all it would take is “Nicole” to start hosting the images somewhere they control to achieve that effect.

    Safety Precautions Available in Tesseract

    Use Tesseract’s Image Proxy

    It has the ability to proxy images (separately / better than the Lemmy built-in method) both local and remote (e.g. to outside image hosts). The hosted instance (tesseract.dubvee.org) has that enabled but each user must enable it in settings (Settings --> Media -> Proxy Images).

    For Tesseract installs run by other instances, it would need the server-side component enabled by the instance admins before the user setting will show up to be enabled by the user.

    If you see the “Proxy Images” options in Settings -> Media, then the admins have enabled the server-side component. If not, you’ll need to ask the admins to configure/enable media proxying. If you’re self-hosting it, then it may not provide any additional privacy unless you’re running it in a cloud server or somewhere other than where you’re accessing it.

    Disable Inline Images

    It also has the option to disable inline images (Settings -> Post and Comments -> Inline Images). I’ve confirmed this also works for DMs. With inline images disabled, instead of the image, the alt text, if available, will be linked to the image. If no alt text, then the image URL will be a clickable link. In either case, clicking the image link will load it in a modal on-demand.

    Coming Soon (Released Just Now in 1.4.32)

    After reading this post, as a precaution, I’m going to push out a hotfix (hopefully this evening) that will disable inline images in DMs by default. If someone you trust DMs you, you can just click on the image link to view it in a modal (like any other link preview).

    Testing this feature now and should have it released this evening. Works like email clients when you disable inline images; a button/switch will appear at the top if it detects there are images / media embedded which will allow you to show the images; defaults to off.

    Tesseract DM view with inline images disabled by default

    Tesseract DM view with inline images enabled per-message

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        20
        ·
        1 day ago

        Not to be snarky (ok, a little snarky lol), but I don’t see the Lemmy devs stepping up to do anything about this. Still can’t even delete DMs.

        • wjs018@piefed.social
          link
          fedilink
          English
          arrow-up
          4
          ·
          18 hours ago

          Wow, I hadn’t realized until you pointed it out that you can’t delete pm’s (I guess without getting admins to fiddle with the db). I still use my lemmy account to moderate some lemmy communities, but I am appreciating using piefed as my threadiverse consumption platform more and more.

          • Admiral Patrick@dubvee.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            10 hours ago

            Yeah, I’m actually planning to see about trying to migrate from Lemmy to Piefed (as an instance). Rimu said it’s technically possible but will need some manual work to ETL the data over. Hoping to start poking around and making some attempts soon-ish. Right now, still just doing my homework and familiarizing myself with Piefed.

              • Admiral Patrick@dubvee.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                5 hours ago

                Already working on plans to attempt to migrate my instance to a Piefed backend. Gonna take some doing/experimentation, but hopefully will be able to share the knowledge learned (and, ideally, a migration script).

            • rozlav@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              4
              ·
              21 hours ago

              Those devs meaning ? If there are any issues or links that can make me understand this I would like to know thank you (o・ω・o)

              • Admiral Patrick@dubvee.org
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                1
                ·
                edit-2
                20 hours ago

                It’s a long history of Github, Lemmy, and admin chat interactions that culminate in my desire to never willingly interact with them again. It’s just too much and too off-topic to post here.

              • hakase@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                3
                ·
                20 hours ago

                The Lemmy devs are outspoken tankies, so I’d understand why people would be reluctant to work directly with them.

  • Nougat@fedia.io
    link
    fedilink
    arrow-up
    60
    arrow-down
    1
    ·
    1 day ago

    The one I got earlier today pleaded:

    My dad just lost his job and I have no money for tuition next semester. Please help me raise money so I can keep going to school! Donate anything you can to these bitcoin and litecoin addresses <3

    I don’t think it’s anything more complicated than trying to scam money from people.

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 🇮 @pawb.social
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    20 hours ago

    If all they can get is an IP address I don’t know why they need this ruse or what good it would do. Very few people are going to be coming from an IP that resolves to their actual residency, even if they’re not using VPNs or proxies.

    • bane_killgrind@slrpnk.net
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      19 hours ago

      The more normies start using this, the more default config/ old as dirt routers will have some exploitable thing.

      More than 10 years ago, I logged into the router of some guy on IRC and changed his pppoe username and password to 'pleaseinvestigateme ‘iamapedophile’ or something.

      The IP he connected from was his home network, the router had default username and password. He disconnected when I hit save.

      The guy was a pedo, fyi. Or trolling by saying he was.

  • 0101100101@programming.dev
    link
    fedilink
    English
    arrow-up
    14
    ·
    22 hours ago

    Good stuff. I always thought the image was being used in a nefarious way but haven’t had time to investigate

  • SkaveRat@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 day ago

    fwiw I got the exact image URL in a DM a couple minutes ago. so at least they are not mapping the uuid of the image to a DMd fedi user

  • scutiger@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 day ago

    I’ve received 4 of them so far, and the images were hosted on lemmy, including reputable instances, but never on the same instance as the message itself came from.

    • FundMECFS@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 day ago

      IP address is often enough to link data to a profile for data brokers. And Lemmy has so much valuable data, not only in posts or comments, but upvotes and downvotes etc. This could be someone making bank of selling data.

      [Though other people investigating the url seem to be pretty sure the images don’t have a per user url, so this theory probably doesn’t hold]

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 day ago

        I mean for most users worldwide, the IP changes every 24h or so, maybe every few days. So I doubt it’s of great value unless you have access to another big database of current logins to match this against. And if you already have that database, I don’t see the value of recording the IP again. Only added info is that the user uses Lemmy, if there isn’t any identifier in the image URL.

        • weker01@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 hours ago

          You probably have a skewed impression. This is common in some places like Germany, but it’s far from the norm. (Even in Germany it’s mostly telecom that does it for some reason.)

          Many ISPs only change the allocated IP only in cases like lost connections and some don’t even do that giving out but not guaranteeing static IPs.

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 hours ago

            I occasionally ask people such things and from what I got it’s kind of mixed. Even beyond Germany. But I didn’t do a proper study, I might be wrong.

        • captainastronaut@seattlelunarsociety.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          14 hours ago

          That doesn’t stop data brokers profiling. One login (into ESPN to update your fantasy team, or into one of your utility providers) from the new IP and all they know about you from the old IP maps to the new one. If you use your ISP’s router they are prob even selling history from the private IPs inside your network.

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 hours ago

            Uh, I don’t think recording internal IPs would be legal where I live. But yeah, my ISP sends me bills every month, they know exactly how much data I use and where I live. My router runs my own Linux (OpenWRT), though.

            And sure, that’s exactly why I personally am worried about the advertisement and tracking platforms. Those definitely make a living by connecting every minor detail. And they have more available like Browser fingerprints, device identifiers if you forgot to disable the advertisement id on your phone…

        • bizarroland@fedia.io
          link
          fedilink
          arrow-up
          13
          ·
          1 day ago

          I wouldn’t necessarily trust that. I have used Xfinity for a long time and my IP address often went months without changing.

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 day ago

            Yeah, I heard it’s different with some providers in north america. But then again, it’s not very straightforward to track which IPs belong to which provider, in which timespans they get renewed and then match that to other info.

        • OpenStars@piefed.social
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 day ago

          Could it potentially be enough to find location - like even if not city, then state or at least country?

          And ofc not just these Nicole pics, but any pics at all, across the entire Fediverse. Worse, upload it via posting to a small community with like 5-10 subscribers and get the IPs of all of those who see the content (by downloading the image from your self-hosted server), then correlate with comments in it to map to usernames (I mean narrow down the list to those 5-10 accounts).

          I suppose it is fortunate that there aren’t any totalitarian regimes anywhere in the world that might be interested in keeping tabs on who isn’t using corporate enshittified platforms… Like surely Musk won’t deny visas to people in the USA who use Lemmy, r-r-right??? (Or deny employment even to people working for corporations that even so much as have a contract with the USA government, regardless of whether the person in question is actually working on it or not, or are even aware that their company has such contracts at all?).

          I think we may need to expect the worst, moving forward, then be pleasantly surprised if it doesn’t happen, rather than 100% count on the best happen for certain, like our very lives depended upon it.

          @rimu@piefed.social how does PieFed fare in this regard?

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            24 hours ago

            Location would be possible. For me it’s a few 100km off, but usually the GeoIP databases are more accurate.

            Piefed doesn’t do much image caching or proxying. It only keeps thumbnails around. Once you open a post with more than a thumbnail in it (a full picture), your IP is revealed to the image hoster.

          • Rimu@piefed.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 day ago

            Not great. PieFed does not make a local copy of inline images, like Lemmy sometimes does.

            • OpenStars@piefed.social
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              19 hours ago

              This makes me worried to click on certain post titles that I’ve seen lately… Edit: on the bright side, PieFed doesn’t include words in its titles, just numbers, so that might offer a bit of protection, for keyword scanners built to work for Lemmy.

              Would using a proxy be sufficient?

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 day ago

            Sure, back when I was young enough to do really stupid “pranks”, we tried to vandalize Wikipedia once or twice. You get banned and re-try one day later. That’s kind of how it works with IP bans. But it gets rid of 99% of people who aren’t super persistent. And that’s enough. And also why they do it even if it’s not “perfect”. Our school had one static IP for the entire computer room, so over there Wikipedia wouldn’t accept edits for a whole week or two, until the ban properly expired.

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 day ago

        [Though other people investigating the url seem to be pretty sure the images don’t have a per user url, so this theory probably doesn’t hold]

        …yet.

    • lemmyingly@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      22 hours ago

      It could be reasonably innocent. Eg. A student doing a study Lemmy and wants to see where the user base is roughly located. Since Lemmy has many privacy focused people on the platform, I doubt they would get many responses on a survey.

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        20 hours ago

        Though, I seriously doubt it’s a legitimate study. Standards dictate you’d do it with people’s consent and inform them what’s up. You’d get scolded by your professor if you did it like this. And I believe we do studies without explicit consent, but that’s university level stuff and I suppose you’d have to file a request with the ethics committee and have someone look at the study layout. I’d say if it is a “study”, it’s probably illegitimate and done by someone without much academic background. Or they don’t abide by the same standards all students do for specific reasons.

        • JacksonLamb@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          20 hours ago

          Imagine explaining it to your professor. " Well, first I sent an image disguised as unsolicited catfishishing scam…"

    • gandalf_der_12te@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 day ago

      ooh, every information has some value to it.

      for example, you could analyze the aggregate (i.e. how many people in each country, how long it takes them to see the messages, how often they are online, …)

      also, it might be testing out the messaging system for later, more elaborate attacks.

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 day ago

        Yeah, I can see how exploration for further things could be the case.

        I just wonder, do people also install browser extensions to cache all the google fonts, jsdelivr urls etc? Or do they just give away the same data to every link on this link aggregator platform and it’s just when it becomes very obvious as with this weird thing?

          • hendrik@palaver.p3x.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            24 hours ago

            Hmmh. I have uBlock and LocalCDN installed in my browser because I’m more worried about all the Google and Metas out there. Most of the news articles linked here are on websites with like 3 different trackers. And Google and Meta definitely have enough info about everyone to correlate minor details.

            I must say I’m not super worried about my IP leaking into the Fediverse. I mean the pictures as a direct message is yet another thing. But generally speaking, we have some trade-off here between privacy and spreading information across a distributed network. It’s not a good thing, but I think the benefits outweigh the downsides.

            • gandalf_der_12te@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              24 hours ago

              i understand your points

              i just want to point out that the IP address can often be used to track your location, especially if you’re in more rural / less densely populated areas. That might doxx you, and how dangerous that is depends on your public profile. So the concern is legitimate.