cross-posted from: https://lemmy.today/post/25826615
For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.
Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.
In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.
It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:
https://github.com/LemmyNet/lemmy/issues/1036
I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:
https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png
I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.
Another mitigation would be to route one’s client software or browser through a VPN.
I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.
In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.
My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.
If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.
Me: reads entire post
I have no idea what’s being discussed here. Are you saying they’re stealing your bank account numbers?
Your IP address can be pegged to a location, so if you’re not behind a VPN or some other tech to obscure your IP, then someone may be able to determine who and where you are from your Lemmy account.
Just a heads up, if I disappear and someone is reading this comment history after the fact: I will never kill myself, and maybe you need to look into trethis. As I said, I received fourteen of these messages today.
Has anyone raised the argument that the “plus” of Lemmy being public and detailed to the vote and forever, is a “negative”?
Here is the URL of the one I was sent: https://lemmy.doesnotexist.club/pictrs/image/44f99f51-2ae9-49b0-b0c8-4ae4cb989690.png
It’s potentially unique and not from a service by my instance or imgur, so the attack is feasible.
yeah it could well be that something shady is going on here. maybe it would be a good idea to limit how many messages a user account may send to, let’s say, 500 or sth.
that would make these scams/ads less doable.
If all they can get is an IP address I don’t know why they need this ruse or what good it would do. Very few people are going to be coming from an IP that resolves to their actual residency, even if they’re not using VPNs or proxies.
The more normies start using this, the more default config/ old as dirt routers will have some exploitable thing.
More than 10 years ago, I logged into the router of some guy on IRC and changed his pppoe username and password to 'pleaseinvestigateme ‘iamapedophile’ or something.
The IP he connected from was his home network, the router had default username and password. He disconnected when I hit save.
The guy was a pedo, fyi. Or trolling by saying he was.
