Note: This post now archived and as such no longer works
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
Nice example!
I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)
deleted by creator
Share source code? I’m curious
[This comment has been deleted by an automated system]
Thanks for the heads-up.
Routing my Lemmy mobile app through orbot from now on. Seems to have fixed the issue.
Location is right, but I highly doubt anyone near me is using Lemmy (dictatorship here).
[This comment has been deleted by an automated system]
deleted by creator
I’m not using a VPN or anything and it got my location wrong by 700 kilometers 🤔
Are you sure you are where you think you are? When’s the last time you looked outside?
Thought about adding the user’s location, but was worried PythonAnywhere could somehow cache the image between multiple people. A great demo though!
I hate this so much. Its super cool but MAN what the hell. I don’t think I’m going to ever turn off my VPN anymore. I’m in a super small town and that image is correct.
It’s cached somewhere because I can’t get it to update. Maybe time for a new account too. Hmmmm
[This comment has been deleted by an automated system]
Yeah, app cache had to be cleared. We good
Finally. Someone noticed 🥹
Joke’s on you. IP geolocation where I am is an unreliable mess and your image got it wrong by about 1000km!
[This comment has been deleted by an automated system]
Hey. I wanted to do this tomorrow.
Well I have a new idea which is pretty similar
[This comment has been deleted by an automated system]
I’m plannig to make one of these “dox’d memes” where someone says something controversial and another one answers with the ip address.
[This comment has been deleted by an automated system]
You have the code for this? Very interested in how you implemented it
deleted by creator
Damn, PHP is such a sleeper of a language, I always forget how useful it can be.Thanks for sharing!
[This comment has been deleted by an automated system]
You can run Geolocation with images now? What the heck? How?
[This comment has been deleted by an automated system]
Woah this is really cool. Though I was way off for me and I’m not on a VPN right now.
[This comment has been deleted by an automated system]
My location is accurate, to give some good feedback on your program too lol
[This comment has been deleted by an automated system]
Oh neat, Jerboa doesn’t identify itself. Cool.
I get “unknown (mobile?) client” using Jerboa
Same on Sync (You are viewing this from an unknown (mobile?) client)
And on infinity (You are viewing this from Android)
Easiest way to stop this from happening is to use ublock origin to block all third party request on your instance.
One way to do this is via dynamic filtering. This is for advanced users so be sure to read the info page: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering
(Consider backing up your ublock settings before doing this)
If you are using lemmy.ml your rule would be this:
lemmy.ml * 3p blockif you’re using another instance then change the domain or use both rules cause you might end up visiting the others as well. Note that adding this rule wont work unless enable advanced features in ublock origin.
EDIT: THIS MIGHT BREAK THINGS ON YOUR INSTANCE, its recommended to learn how to use dynamic filtering to unbreak it: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide If it breaks stuff just remove that rule.
You could also block it using static filters but I can’t remember how to do that exactly, if you know please reply below.
- Mlem - knows exactly that it’s Mlem.
- Memmy - sees Mobile Safari webkit.
- Voyager - same as Memmy.
- Thunder - just sees Mobile Client.
- Jerboa - also just sees a Mobile Client
Doesn’t know it’s sync.
Voyager on Android
I’m fine with this. Instances shouldn’t proxy or cache images because it opens instance owners to a lot more liability than text. A client side setting to not load images in comments by default is better.
Each instance stores post thumbnails locally even if the post was on another server. It actually takes up quite a bit of hdd space.
All these people correcting the result effectively giving useful data to improve data collection and detection methods.
Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let’s just say they went AFK quickly after that. Good times!
Salient demonstration, but if image proxying were to come to Lemmy I’d hope it was made optional, as it could overburden smaller instances, especially one-person instances (like mine). We also need a simple integrated way of configuring object storage.
[This comment has been deleted by an automated system]
Image proxies are a must have, let’s hope we get those soon!
Jokes on you! I use a Firefox extension that spoofs my browser profile. https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/
deleted by creator
I’ll be damned. I tried this from three different platforms and you’ve nailed it.
I’m using Firefox on Mac and it thought I was on windows. Still a big issue though.
It said I’m on Mac OS X, but that’s wrong. It’s been macOS for some years now. /s
It still makes me wanna cry.
deleted by creator
for a little extra creepiness, modify the image-generating script to add geoip location data and http referer to the image.
[This comment has been deleted by an automated system]
What is it supposed to say?
What is it supposed to say?
“You are viewing this from The Black Pearl, Davy Jones.”
