1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Embedded images in conversation allow for easy IP address theft

Discussion in 'Resolved Bug Reports' started by mm55mm, Feb 26, 2015.

  1. mm55mm

    mm55mm Member

    The option to embed images in conversations leaves a HUGE opportunity for malicious users to obtain sensitive personal data of arbitrary forum members such as IP address, device type, OS, ISP, location.

    Embedded images in private conversations should be disabled by default, but what I find even more surprising is the lack of a setting in the admin panel to turn off image embedding in conversations.

    Could you please instruct us how to prevent image embedding in conversations ASAP? Thanks!
     
  2. Mike

    Mike XenForo Developer Staff Member

    If you're concerned about this, you should be enabling the image proxy.

    The same concept applies with an image being embedded in a thread or even a link being clicked. The IP, user agent, etc are simply not private information when connecting to a server. You can't truly prevent access to that.
     
  3. mm55mm

    mm55mm Member

    Thank you for the prompt response.
    I am very much aware of the concept, it's nothing special really. However, I still think having embedded images in conversations is a privacy issue. Please compare the different cases:
    • Image embedded in a thread. You can only obtain a list of all the IP addresses of visitors who opened a thread (including guests). You cannot possibly determine which IP address belongs to a certain user.
    • A link being clicked. Of course you can obtain user data by making them click on an external link, but this does not compare to simply opening a conversation.
    • Image embedded in a conversation. Anyone can easily obtain other members' sensitive data by simply starting a conversation with them.
    Just recently on our forums certain users have started posting other members' private data. We found out they used the technique of embedding a tiny image inside conversations. This had devastating effect on our community. The malicious users were not even highly skilled. They simply embedded an image from one of the many website stats services and had the private data served on a silver platter.

    Coming from phpBB, there was an option to allow/disallow images embedded in private messages:
    Is there no easy way to do this in XenForo?

    Is it possible to enable image proxy only for images embedded in conversations?
     
    Last edited: Feb 26, 2015
  4. Liam W

    Liam W Well-Known Member

    IP addresses aren't private information.
     
  5. Mike

    Mike XenForo Developer Staff Member

    There is no way to disable images in conversations or just enable the proxy in conversations. I can't say I've seen requests for either before.

    If you're going to enable the proxy, it seems to make sense to do it everywhere. If this is something you're concerned about, I would certainly enable the proxy. You can create the issue in pretty much any context, though it may be slightly less direct than using a conversation or requiring a bit more work.
     
    Liam W likes this.

Share This Page