Note: This post now archived and as such no longer works
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
Notably, this allows remote parties to associate your IP address with your interests, as revealed by the Lemmy communities that you browse.
One way is for the image host to use the HTTP Referer field. (Standards-respecting web browsers pass the URL of the web page being viewed to the server hosting the image.)
Another way is by posting an image with a unique URL.
Even if Referer is withheld and the image is not unique, the image host can still do basic fingerprinting of your client’s request header and your OS’s TCP quirks, and associate that fingerprint with your IP address.
An option for Lemmy to proxy media would be very helpful. Small instances could perhaps disable it, although they might not need to, since the additional load would scale with the number of users on that instance.
Were you expecting otherwise? Loading an external image is no different than loading an external website with images. Lemmy and reddit are link aggregators, not proxies. Having to proxy everything would run a significant bandwidth for instance admin who are often paying out of pocket for hosting.
deleted by creator
How do you get an image to run code? I guess I somehow missed something important in website development.
Edit: I saw that you said you’re using Pillow to actually render the image from code. That’s neat! …and scary
Share source code? I’m curious
It’s just a simple Flask server. I parse the user-agent using the
user_agentsPython library, apply some conditionals upon the result, render the image using Pillow and send it to the user.
Oh neat, Jerboa doesn’t identify itself. Cool.
deleted by creator
I’m also on jerboa, but a Samsung with GPS, and it also tells me unknown device. Must be jerboa
It says unknown (mobile?) client for me too, using Sync with Bluetooth and location enabled and Play Store Services installed.
Whoever wrote that image tracking over-hyped it?
The user-agent detection definitely isn’t great, this was just meant as a quick proof of concept for anyone curios.
It successfully identified Firefox when I checked it from the browser. Maybe some of the apps don’t identify themselves in the useragent string?
VPN using Librewolf user checking in. This post got nothing on me.
All these people correcting the result effectively giving useful data to improve data collection and detection methods.
Man, I remember I scared the crap out of trolls on Reddit when we started arguing over DM, and I added a link to a meme that tracked their IP and system info (without them knowing ofc). Let’s just say they went AFK quickly after that. Good times!
Lemmy clients should really include an option to group or only show the first instance of a link for cases like this; where the same link is posted to multiple places.
So what is happening if I don’t see an image?
it is because the website providing the image is overloaded and cannot create an image.
You just have to reload the image and eventually you will see one.
for a little extra creepiness, modify the image-generating script to add geoip location data and http referer to the image.
