this post was submitted on 18 Mar 2025
73 points (98.7% liked)

Privacy

5648 readers
104 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
iopq@lemmy.world
73
I believe that the "Nicole" images being sent to Threadiverse users may be intending to deanonymize accounts (lemmy.today)
submitted 1 week ago* (last edited 1 week ago) by tal@lemmy.today to c/privacy@lemmy.world
64 comments fedilink hide all child comments
 

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

top 50 comments
sorted by: hot top controversial new old
[–] Cypher@lemmy.world 16 points 1 week ago (3 children)

We used to do this on the EVE online forums until CCP caught on and banned inline images.

[–] UltraGiGaGigantic@lemmy.ml 8 points 1 week ago (1 children)

"Man, everyone is on planet earth. How boring"

[–] Cypher@lemmy.world 15 points 1 week ago (2 children)

We were using the IPs and post times to identify accounts, then checking IPs that connected to our VOIP servers so we could identify spies and either remove them or feed them false intel.

Basic counter-intel work and all for a video game heh.

[–] Zentron@lemm.ee 3 points 1 week ago

Jesus i miss that time , counter intel was so easy back then

[–] pootzapie@lemy.lol 3 points 1 week ago (1 children)

This sounds super cool and interesting, is there like a wiki I can read up about that stuff??

[–] Alloi@lemmy.world 6 points 1 week ago* (last edited 1 week ago) (1 children)

theres a whole documentary about it on youtube, check out the "down the rabbit hole" channel

its very long.

[–] pootzapie@lemy.lol 2 points 1 week ago

Ty :)

[–] FauxLiving@lemmy.world 3 points 1 week ago

spy

rho s quad best quad

[–] brygphilomena@lemmy.dbzer0.com 1 points 1 week ago

Some days, I am tempted to go back to playing eve. Ive got some good memories.

[–] rumschlumpel@feddit.org 9 points 1 week ago* (last edited 1 week ago) (2 children)

Interesting hypothesis.

[–] Justas@sh.itjust.works 6 points 1 week ago (2 children)

Yes, especially because many Lemmy users have some radical views.

[–] Clinicallydepressedpoochie@lemmy.world 5 points 1 week ago (1 children)

For real, totally tubular 🤙

[–] PriorityMotif@lemmy.world 3 points 1 week ago

!dull_mens_club@lemmy.world and !dullsters@dullsters.net are at the top of the list.

[–] forrgott@lemm.ee 4 points 1 week ago (2 children)

Yup. Especially with digital watermarking by modifying a pixel here or there - something you'd naturally need a computer to detect.

[–] milicent_bystandr@lemm.ee 5 points 1 week ago (1 children)

You don't need digital watermarking got for this. Just host the image at different URLs. evil.lemmy.org/nicole-mbystander.png and evil.lemmy.org/nicole-forrgott.png. (Really you'd use a random string and save in a database.) Then see what IP requests the -mbystander version and which the -forrgottt version, and you have our IP addresses.

load more comments (1 replies)
[–] tischbier@feddit.org 2 points 1 week ago* (last edited 1 week ago)

Steganography. Good point.

( This is how a lot of modern information caches have been dropped too: you can put entire documents in a few pixels. Steganography is just the act of hiding something inside another object. It’s an older spy technique than classic cryptography )

[–] EngineerGaming@feddit.nl 7 points 1 week ago (1 children)

Good luck, my IP consistently points to an entirely another city.

[–] HereIAm@lemmy.world 3 points 1 week ago (2 children)

Sure, but if you also logged into Facebook from that IP it's a pretty simple match up.

[–] EngineerGaming@feddit.nl 1 points 1 week ago

Yeah, I get it (barring the fact that literal Facebook is not even accessible from my IP lol). But whether this is useful, depends on who the attacker is. If we're talking about, say, a data broker - yeah. But would Jake from accounting have such "IP-account" logs?

[–] missandry351@lemmings.world 6 points 1 week ago (1 children)

Good luck doing that in Portugal the ips are all dynamic here

[–] reksas@sopuli.xyz 5 points 1 week ago

i think so too. And even if they wouldnt be doing this, we should still treat it as if they are and fix the problem of it being even possible to gather information about users using 0-click methods like this.

[–] ragebutt@lemmy.dbzer0.com 4 points 1 week ago

Way back in the days of somethingawful Lowtax, the admin and owner who was a spiteful shithead, would do a similar trick for sites that criticized him

He would register an account, show up, and chat everyone up. Act in on the joke. Eventually he would post a blank 1x1px image hosted on the somethingawful server in one of his comments. Then, he would view the logs that accessed the image. If any somethingawful members had an IP that matched the log they would be banned

For the young folks who didn’t exist in that era: this was pre Facebook and social media. SA was one of the biggest forums and most importantly it was also $10 to join, plus add ons like search, avatar, etc cost etc. would be like reddit costing money to join and then banning you because you posted here about how much reddit was shit compared to the old days

[–] DFX4509B_2@lemmy.org 3 points 1 week ago* (last edited 1 week ago)

I've been blocking and reporting these nicole accounts as spam bots lately. I hope this doesn't become as bad as the spam bots in the YT comments.

[–] RaoulDook@lemmy.world 3 points 1 week ago (1 children)

Might be good to think about fediverse security similar to email security, as they are both federated information sharing systems. Email has spam blocking, allowing for reputation checks and other complex stuff. I wonder if Lemmy instances could collaborate on a SpamHaus type of bad host / bad user list to use and share.

[–] Andromxda@lemmy.dbzer0.com 2 points 1 week ago

SpamHaus type of bad host

That already kinda exists: https://gui.fediseer.com/

[–] ArchmageAzor@lemmy.world 2 points 1 week ago (1 children)

My money says it's Russia trying to find potential political adversaries (people who don't agree with them)

[–] SkyezOpen@lemmy.world 3 points 1 week ago

Doed anyone know if Nicole has introduced herself to lemmygrad?

[–] TaviRider@reddthat.com 2 points 1 week ago (1 children)

iCloud Private Relay and similar relay services should also protect against IP tracking.

[–] AA5B@lemmy.world 2 points 1 week ago

PSA: check your private relay settings if you haven’t in a while

Mine was on but set to “maintain general area” so local content works.

[–] Vopyr@lemmy.world 2 points 1 week ago

Wait, I'm not the only one who received these strange messages from Nicole? Good thing I ignored them.

[–] nanook@friendica.eskimo.com 1 points 2 days ago

Since this is not an issue unique to lemmy, it's also a technique to find the IP address of a user using e-mail, send them an e-mail with a reference to a one-pixel image and look where the download comes from, it behooves those who lack the courage of their convictions and prefer to cower in anonymity to either use a VPN or Tor or both.

[–] xia@lemmy.sdf.org 1 points 1 week ago

That would require cooperation with the servers/dns involved. Though, it would be easy to disprove if people are getting identical image URLs.... we should test that!

load more comments
view more: next ›