The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
There have been tools to generate little images like this that people have been sticking inline in forum posts for decades. Literal decades. The world has not yet caught fire because of that, either.
If you’re old enough, you’ll remember seeing oodles of people’s forum signatures containing a smiley face holding up a sign containing something like this:
[This comment has been deleted by an automated system]
wtf
The trick is that to embed images in Lemmy, you’re basically hot linking them. That means any kind of tracking your average web server can do, is possible through Lemmy’s image embedding feature.
I’ve explicitly disabled any kind of logging for the proof of concept above (it’s generated in the fly by the server, not cached on my end, no IP logs or anything) but it’s not hard for a malicious user to abuse this. It basically takes your IP address, looks up an estimated town based on some free geoip database you can download, and renders that as text inside an image.
This could be solved by rewriting comments to force image URLs to be loaded through your home server, but I don’t know if anyone has started work on that yet.
OK, less magic than expected.
There have been tools to generate little images like this that people have been sticking inline in forum posts for decades. Literal decades. The world has not yet caught fire because of that, either.
If you’re old enough, you’ll remember seeing oodles of people’s forum signatures containing a smiley face holding up a sign containing something like this:
You used to be able to embed arbitrary html in comments, which was awesome and terrifying
That’s crazy, it knows where I live.
im scared
im just south of okotoks, kind of a small world out here.
deleted by creator
yeah i seen your other comment. still kinda funny to me tho. I use a vpn router, multi wan, so not really too worried.