this post was submitted on 18 Mar 2025
289 points (98.3% liked)

Fediverse

31778 readers
897 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
289
I believe that the "Nicole" images being sent to Threadiverse users may be intending to deanonymize accounts (europe.pub)
submitted 20 hours ago by tfm@europe.pub to c/fediverse@lemmy.world
78 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.today/post/25826615

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

top 50 comments
sorted by: hot top controversial new old
[–] DieserTypMatthias@lemmy.ml 2 points 3 hours ago (1 children)

Isn't it anonymized? Because when I posted a blog post to a community and I headed to Blogger analytics, I saw a bunch of views from OpenGraph. AFAIK this is from scrolling on Lemmy.

[–] tfm@europe.pub 1 points 2 hours ago

It depends on the instance configuration. If images are proxied, no traffic should show up.

[–] LemUrun@pawb.social 0 points 3 hours ago (1 children)

I have a different image

[–] tfm@europe.pub 1 points 2 hours ago

They use different images.

[–] prole@lemmy.blahaj.zone 13 points 11 hours ago (1 children)

Thanks, i just doubled checked to make sure my VPN was on for my phone as well... I got fourteen of them today. That's... Weird.

[–] limer@lemmy.dbzer0.com 5 points 8 hours ago

Sounds more like a self replicating malware somewhere, probably in some totally unrelated Wordpress plugin on unrelated sites scattered about

[–] ptz@dubvee.org 87 points 19 hours ago* (last edited 16 hours ago) (1 children)

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

Tesseract dev here.

For what it's worth, I went back through and checked my DMs from "Nicole" and they're all uploads directly to the home instance the DM came from (e.g. they went through pict-rs, and only the instance admins would be able to see the client IPs in their access logs). So, this doesn't seem like a de-anonymization attack, though all it would take is "Nicole" to start hosting the images somewhere they control to achieve that effect.

Safety Precautions Available in Tesseract

Use Tesseract's Image Proxy

It has the ability to proxy images (separately / better than the Lemmy built-in method) both local and remote (e.g. to outside image hosts). The hosted instance (tesseract.dubvee.org) has that enabled but each user must enable it in settings (Settings --> Media -> Proxy Images).

For Tesseract installs run by other instances, it would need the server-side component enabled by the instance admins before the user setting will show up to be enabled by the user.

If you see the "Proxy Images" options in Settings -> Media, then the admins have enabled the server-side component. If not, you'll need to ask the admins to configure/enable media proxying. If you're self-hosting it, then it may not provide any additional privacy unless you're running it in a cloud server or somewhere other than where you're accessing it.

Disable Inline Images

It also has the option to disable inline images (Settings -> Post and Comments -> Inline Images). I've confirmed this also works for DMs. With inline images disabled, instead of the image, the alt text, if available, will be linked to the image. If no alt text, then the image URL will be a clickable link. In either case, clicking the image link will load it in a modal on-demand.

Coming Soon (Released Just Now in 1.4.32)

After reading this post, as a precaution, I'm going to push out a hotfix (hopefully this evening) that will disable inline images in DMs by default. If someone you trust DMs you, you can just click on the image link to view it in a modal (like any other link preview).

Testing this feature now and should have it released this evening. Works like email clients when you disable inline images; a button/switch will appear at the top if it detects there are images / media embedded which will allow you to show the images; defaults to off.

Tesseract DM view with inline images disabled by default

Tesseract DM view with inline images enabled per-message

[–] SidewaysHighways@lemmy.world 17 points 18 hours ago (1 children)

thanks for your time and effort!

[–] ptz@dubvee.org 18 points 18 hours ago (2 children)

Not to be snarky (ok, a little snarky lol), but I don't see the Lemmy devs stepping up to do anything about this. Still can't even delete DMs.

[–] wjs018@piefed.social 3 points 11 hours ago (1 children)

Wow, I hadn't realized until you pointed it out that you can't delete pm's (I guess without getting admins to fiddle with the db). I still use my lemmy account to moderate some lemmy communities, but I am appreciating using piefed as my threadiverse consumption platform more and more.

[–] ptz@dubvee.org 2 points 3 hours ago

Yeah, I'm actually planning to see about trying to migrate from Lemmy to Piefed (as an instance). Rimu said it's technically possible but will need some manual work to ETL the data over. Hoping to start poking around and making some attempts soon-ish. Right now, still just doing my homework and familiarizing myself with Piefed.

[–] Jakeroxs@sh.itjust.works 4 points 17 hours ago (1 children)

You could contribute upstream

[–] ptz@dubvee.org 16 points 17 hours ago (1 children)

I have absolutely no desire to use or learn Rust and even less desire to deal with those devs.

[–] rozlav@lemmy.blahaj.zone 3 points 14 hours ago (2 children)

Those devs meaning ? If there are any issues or links that can make me understand this I would like to know thank you (o・ω・o)

[–] ptz@dubvee.org 5 points 14 hours ago* (last edited 14 hours ago)

It's a long history of Github, Lemmy, and admin chat interactions that culminate in my desire to never willingly interact with them again. It's just too much and too off-topic to post here.

[–] hakase@sh.itjust.works 2 points 14 hours ago

The Lemmy devs are outspoken tankies, so I'd understand why people would be reluctant to work directly with them.

[–] comfy@lemmy.ml 16 points 14 hours ago

GOOD LUCK WITH THAT IM BEHIND SEVEN PROXIES

[–] Nougat@fedia.io 56 points 18 hours ago

The one I got earlier today pleaded:

My dad just lost his job and I have no money for tuition next semester. Please help me raise money so I can keep going to school! Donate anything you can to these bitcoin and litecoin addresses <3

I don't think it's anything more complicated than trying to scam money from people.

[–] Kolanaki@pawb.social 9 points 13 hours ago (1 children)

If all they can get is an IP address I don't know why they need this ruse or what good it would do. Very few people are going to be coming from an IP that resolves to their actual residency, even if they're not using VPNs or proxies.

[–] bane_killgrind@slrpnk.net 6 points 12 hours ago

The more normies start using this, the more default config/ old as dirt routers will have some exploitable thing.

More than 10 years ago, I logged into the router of some guy on IRC and changed his pppoe username and password to 'pleaseinvestigateme 'iamapedophile' or something.

The IP he connected from was his home network, the router had default username and password. He disconnected when I hit save.

The guy was a pedo, fyi. Or trolling by saying he was.

[–] 0101100101@programming.dev 13 points 15 hours ago

Good stuff. I always thought the image was being used in a nefarious way but haven't had time to investigate

[–] JPAKx4@lemmy.blahaj.zone 7 points 16 hours ago (1 children)

Here is the URL of the one I was sent: https://lemmy.doesnotexist.club/pictrs/image/44f99f51-2ae9-49b0-b0c8-4ae4cb989690.png

It's potentially unique and not from a service by my instance or imgur, so the attack is feasible.

[–] SkaveRat@discuss.tchncs.de 18 points 20 hours ago

fwiw I got the exact image URL in a DM a couple minutes ago. so at least they are not mapping the uuid of the image to a DMd fedi user

[–] scutiger@lemmy.world 14 points 19 hours ago

I've received 4 of them so far, and the images were hosted on lemmy, including reputable instances, but never on the same instance as the message itself came from.

[–] SparrowHawk@feddit.it 8 points 17 hours ago

It's definetely something shady, someone is planning bad stuff for the fediverse

[–] hendrik@palaver.p3x.de 10 points 19 hours ago (7 children)

I wonder what the use case is for gathering IP addresses of random internet connections.

[–] FundMECFSResearch@lemmy.blahaj.zone 16 points 19 hours ago (12 children)

IP address is often enough to link data to a profile for data brokers. And Lemmy has so much valuable data, not only in posts or comments, but upvotes and downvotes etc. This could be someone making bank of selling data.

[Though other people investigating the url seem to be pretty sure the images don’t have a per user url, so this theory probably doesn’t hold]

load more comments (12 replies)
[–] lemmyingly@lemm.ee 2 points 15 hours ago (1 children)

It could be reasonably innocent. Eg. A student doing a study Lemmy and wants to see where the user base is roughly located. Since Lemmy has many privacy focused people on the platform, I doubt they would get many responses on a survey.

[–] hendrik@palaver.p3x.de 1 points 13 hours ago* (last edited 13 hours ago) (1 children)

Though, I seriously doubt it's a legitimate study. Standards dictate you'd do it with people's consent and inform them what's up. You'd get scolded by your professor if you did it like this. And I believe we do studies without explicit consent, but that's university level stuff and I suppose you'd have to file a request with the ethics committee and have someone look at the study layout. I'd say if it is a "study", it's probably illegitimate and done by someone without much academic background. Or they don't abide by the same standards all students do for specific reasons.

[–] JacksonLamb@lemmy.world 2 points 13 hours ago

Imagine explaining it to your professor. " Well, first I sent an image disguised as unsolicited catfishishing scam..."

load more comments (5 replies)
[–] gandalf_der_12te@discuss.tchncs.de 7 points 18 hours ago

yeah it could well be that something shady is going on here. maybe it would be a good idea to limit how many messages a user account may send to, let's say, 500 or sth.

that would make these scams/ads less doable.

[–] Lost_My_Mind@lemmy.world 5 points 17 hours ago (2 children)

Me: reads entire post

I have no idea what's being discussed here. Are you saying they're stealing your bank account numbers?

[–] tfm@europe.pub 18 points 16 hours ago

When the image of "Nicole" is loaded, your computer/phone connects to another server and transfers your IP address. But it currently looks like it's not that big of a problem. Still a fix will be implemented soon to prevent this.

[–] prole@lemmy.blahaj.zone 2 points 11 hours ago* (last edited 11 hours ago) (1 children)

Your IP address can be pegged to a location, so if you're not behind a VPN or some other tech to obscure your IP, then someone may be able to determine who and where you are from your Lemmy account.

Just a heads up, if I disappear and someone is reading this comment history after the fact: I will never kill myself, and maybe you need to look into trethis. As I said, I received fourteen of these messages today.

[–] Lost_My_Mind@lemmy.world 1 points 9 hours ago

I JUST got 2 of them today. Now I'm thinking it's because of this thread. I haven't gotten one since like.......September.

[–] land@lemmy.ml 7 points 19 hours ago (4 children)

I received two messages. The first one was on March 3rd, and the second one was on March 8th. I also received one a few months ago.

load more comments (4 replies)
[–] sunzu2@thebrainbin.org 6 points 19 hours ago (1 children)

Does each message get a unique URL for the photos?

[–] RangerJosey@lemmy.ml 6 points 19 hours ago (2 children)

I got such a message but didn't reply. Seemed like a bot to me.

[–] SkaveRat@discuss.tchncs.de 16 points 19 hours ago (5 children)

the problem with this potential issue (if it indeed is one) is, that you don't need to reply. just opening the DM is enough

load more comments (5 replies)
[–] tfm@europe.pub 10 points 19 hours ago

These are phishing bots. Never interact with them.

[–] poVoq@slrpnk.net 4 points 18 hours ago (5 children)

Lemmy does have a functional image proxy, but due to the storage and bandwidth requirements many larger instances have chosen to not enable it.

load more comments (5 replies)
load more comments
view more: next ›