The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
In all seriousness, apps and frontends need to implement countermeasures so that you can turn off image previews as needed
Actually that feature isn’t even that much abused So here is an useless gif
With its current implementation, that feature has a lot of downsides as well.
If you wanted, you could embed tracking pixels all over Lemmy and apps and browsers will happily report who’s reading your posts.
im just south of okotoks, kind of a small world out here.
I’m nowhere close :)
See my other comment on how it works, this is done based on geolocation.
yeah i seen your other comment. still kinda funny to me tho. I use a vpn router, multi wan, so not really too worried.
wtf
The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
OK, less magic than expected.
You used to be able to embed arbitrary html in comments, which was awesome and terrifying
im scared