Note: This post now archived and as such no longer works

*removed externally hosted image*

  • TriLinder@lemmy.ml
    hexagon
    ·
    1 year ago

    This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

    Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

  • wopazoo [he/him]
    ·
    1 year ago

    on hexbear, all i get is

    *removed externally hosted image*

    • nathanjell@infosec.pub
      ·
      1 year ago

      Probably not. Every time your web browser makes a request to a server, it always transmits some "user agent" describing itself. By default, it'll be something that boils down to "Safari version X on macOS version Y" or "Firefox version A on Windows version B" or something similar. You can often change your user agent (on desktop browsers at least) of you care.

      What can someone do with this specific info? Well, not a huge amount. It can be used as a sort of a fingerprint - the more unique a browser's user agent, the more easy it is to target you as a demographic or individual. It could be used in phishing, to legitimize spam - think, "I know you use Firefox on Windows, you don't want to know what else I know!" But honestly, for the vast majority of people (in my opinion) the reality is that letting the server know your user agent isn't going to be doing much.

      To be fair, user agent is one of many ways that remote services can track you and identify you.

  • Faresh@lemmy.ml
    ·
    1 year ago

    Would be interesting to use such an embedded image to acquire some statistics on lemmy users. We could answer questions like: What percentage of lemmy users use Linux?

  • andscape@feddit.it
    ·
    1 year ago

    Can countermeasures be implemented in the clients to mitigate privacy risks, while not having to proxy images?

    • psud@aussie.zone
      ·
      1 year ago

      At it's basic level it will capture your IP address, but it won't really tie the IP to a user name, and there's not a role lot you can do with it

      Attacks I can think of:

      • target advertising at users in a particular lemmy community
      • get a collection of IP addresses of people with specific problems or beliefs (indicated by membership in a lemmy community) to target with malware

      A VPN would protect you in this case, but you need to be a bit of a privacy nut to also protect yourself from things that identify for advertising right now