Embedded images and your privacy

[Justis]

As some of you may have noticed from our recent tweet, we've disabled the embedding of images from untrusted sites for the time being. I'm here to elaborate for those concerned.

When you visit any website, you expose your ip to that website.
This is because you're downloading information from its host, their web page's html, css, images/media, etc.

Alongside attachments, which allows users to upload their images and attach it to their posts, it has long been a feature where users were able to embed externally hosted images via the img tag. Meaning viewers of the image would download the image from the place of origin and it would be placed in that spot on the post.
That embedding feature is what's been temporarily disabled, and is why most of your images will now only display as a link to those websites.
A reminder that you may still use our attachment feature. If you embed external images in your product/service threads, please swap them out for attachments for the time being.

The concern is that because you download the images as soon as you load the page, rather than being able to see the link and decide for yourself whether or not you want to visit and expose your ip address to that website, you may potentially be exposing your ip to those you'd rather not have it.

Unranked members reading this may have noticed that their ability to send private messages was previously disabled. This was a precautionary means of preventing the possibility of users joining our site to target our users by sending them private messages with embedded images that make a point in actually recording/logging the ips visiting it, thus being able to associate the ip with a particular member.
The ability to associate it with someone is why conversations were disabled specifically, which was not a concern for anywhere else on our site, where the viewers of the media is not isolated to anyone in particular.

Threads regarding this abuse method were previously deleted from public view while Jayson and I worked out a more satisfying temporary solution to the potential privacy concern. (The disabling of embedded images from untrusted sites).
As many of you realize, there is no place that malicious and toxic people get drawn to more than places where they can gain attention and controversy.
In order to prevent those with bad intentions from being encouraged to abuse the privacy of their fellow MCM users through those disclosing the means of doing so via threads, these threads were removed until the embedding had been disabled.

I've personally sent out private messages to many of those who seemed concerned in these threads, and apologized. All were cooperative and I'd like to thank you guys sincerely for that.

I'd like to clarify to a few people who seemed to believe that perhaps MCM's database had been breached. This is not the case at all. Embedded external images have been a long standing unquestioned feature used by and for our community. It is merely the possibility of targeting via this feature that has resulted in these actions.
Your privacy and security is always our greatest concern.

Mick will be setting up a proxy for MCM as soon as he becomes available, which will allow the use of the embedding external images while shielding the privacy of our members by hiding your ip behind our own proxy's ip.

Thank you for understanding and your patience in the meantime.
If you have any concerns, I'm happy to address them.

 

[BrettPlays]

Coolio!
Nice work!

 

[ZPower]

Smart move. Glad you have plans to create a proxy.

Thanks Justice for all you do for MCM.

 

[Landon]

127.0.0.1

 

[Ambrosia]

thanks dad, can i get mod now?

 

[Theo J]

Ah when Mick is available. So I assume we’ll see this Proxy sometime next year?

 

[Mick]

Ah when Mick is available. So I assume we’ll see this Proxy sometime next year?

The proxy will be set up very soon, hopefully within the next few hours. We apologise for the delay in fixing this issue and would like to emphasise that user security is our top priority.

 

[1337]

As some of you may have noticed from our recent tweet, we've disabled the embedding of images from untrusted sites for the time being. I'm here to elaborate for those concerned.

When you visit any website, you expose your ip to that website.
This is because you're downloading information from its host, their web page's html, css, images/media, etc.

Alongside attachments, which allows users to upload their images and attach it to their posts, it has long been a feature where users were able to embed externally hosted images via the img tag. Meaning viewers of the image would download the image from the place of origin and it would be placed in that spot on the post.
That embedding feature is what's been temporarily disabled, and is why most of your images will now only display as a link to those websites.
A reminder that you may still use our attachment feature. If you embed external images in your product/service threads, please swap them out for attachments for the time being.

The concern is that because you download the images as soon as you load the page, rather than being able to see the link and decide for yourself whether or not you want to visit and expose your ip address to that website, you may potentially be exposing your ip to those you'd rather not have it.

Unranked members reading this may have noticed that their ability to send private messages was previously disabled. This was a precautionary means of preventing the possibility of users joining our site to target our users by sending them private messages with embedded images that make a point in actually recording/logging the ips visiting it, thus being able to associate the ip with a particular member.
The ability to associate it with someone is why conversations were disabled specifically, which was not a concern for anywhere else on our site, where the viewers of the media is not isolated to anyone in particular.

Threads regarding this abuse method were previously deleted from public view while Jayson and I worked out a more satisfying temporary solution to the potential privacy concern. (The disabling of embedded images from untrusted sites).
As many of you realize, there is no place that malicious and toxic people get drawn to more than places where they can gain attention and controversy.
In order to prevent those with bad intentions from being encouraged to abuse the privacy of their fellow MCM users through those disclosing the means of doing so via threads, these threads were removed until the embedding had been disabled.

I've personally sent out private messages to many of those who seemed concerned in these threads, and apologized. All were cooperative and I'd like to thank you guys sincerely for that.

I'd like to clarify to a few people who seemed to believe that perhaps MCM's database had been breached. This is not the case at all. Embedded external images have been a long standing unquestioned feature used by and for our community. It is merely the possibility of targeting via this feature that has resulted in these actions.
Your privacy and security is always our greatest concern.

Mick will be setting up a proxy for MCM as soon as he becomes available, which will allow the use of the embedding external images while shielding the privacy of our members by hiding your ip behind our own proxy's ip.

Thank you for understanding and your patience in the meantime.
If you have any concerns, I'm happy to address them.

Instead of this, why not properly setup the image proxy beforehand and then implement it into MCM shortly after the current system is disabled to prevent an unneeded breakage and interruption of user experience...? seems like a fairly basic concept to me, unless i'm missing something obvious here.

 

[Justis]

Instead of this, why not properly setup the image proxy beforehand and then implement it into MCM shortly after the current system is disabled to prevent an unneeded breakage and interruption of user experience...? seems like a fairly basic concept to me, unless i'm missing something obvious here.

A few users were inciting a panic over it, and spreading the method for abusing the embed feature in order to "spread awareness" so that users could "protect themselves".
It was initially our intention to set up the proxy first, but when people are giving something a lot of public attention, toxic people that want that attention will immediately do the worst thing they can in order to get it. So the embed feature was turned off to protect everyone just in case and put out the flames of panic that were being spread by those users.

 

[Theo J]

Isn’t an image proxy a feature that already exists in XenForo? Correct me if I’m wrong. Pretty sure I’ve used it to always load http images through https.

 

[Justis]

Isn’t an image proxy a feature that already exists in XenForo? Correct me if I’m wrong. Pretty sure I’ve used it to always load http images through https.

Turning that on without an actual proxy set up would mean exposing MCM's ip, and everyone that's been here since 2017 knows how much some individuals will jump at the opportunity to take us all down with a DDoS attack.

 

[1337]

A few users were inciting a panic over it, and spreading the method for abusing the embed feature in order to "spread awareness" so that users could "protect themselves".
It was initially our intention to set up the proxy first, but when people are giving something a lot of public attention, toxic people that want that attention will immediately do the worst thing they can in order to get it. So the embed feature was turned off to protect everyone just in case and put out the flames of panic that were being spread by those users.

But it's been a well known and discussed flaw for ages (months) now, wouldn't it make more sense to take 30 minutes, setup the proxy, then replace it instead of removing external images as a whole? Seems a bit like a rushed decision that wasn't fully thought out...

 

[Justis]

But it's been a well known and discussed flaw for ages (months) now, wouldn't it make more sense to take 30 minutes, setup the proxy, then replace it instead of removing external images as a whole? Seems a bit like a rushed decision that wasn't fully thought out...

Assuming that the proxy only took 30 minutes to set up as you are, the embed feature would only be disabled for 30 minutes, and the inconvenience would be nearly irrelevant.
In reality, I didn't personally have the ability to set up a proxy nor did I know exactly when the proxy would be set up.

Worst case scenario, we didn't disable embedding, setting up the image proxy ends up taking longer than expected, users continue to spread mass-panic, angry users take actions to defile our platform and malicious users try "making an example" by exploiting the embed feature and our users get targeted as a result.

I felt that was too much to risk over the possibility that maybe we could have gotten by just continuing to wait for the image proxy and hoping everything turned out fine until then by telling the users concerned that it'd be set up "soon".

It was solely my decision, and one that I was forced to make quickly, and I'll take complete responsibility for it.
I am truly sorry if the lack of embed feature comes as a major inconvenience until the proxy is set up.

 

[1337]

Assuming that the proxy only took 30 minutes to set up as you are, the embed feature would only be disabled for 30 minutes, and the inconvenience would be nearly irrelevant.
In reality, I didn't personally have the ability to set up a proxy nor did I know exactly when the proxy would be set up.

Worst case scenario, we didn't disable embedding, setting up the image proxy ends up taking longer than expected, users continue to spread mass-panic, angry users take actions to defile our platform and malicious users try "making an example" by exploiting the embed feature and our users get targeted as a result.

I felt that was too much to risk over the possibility that maybe we could have gotten by just continuing to wait for the image proxy and hoping everything turned out fine until then by telling the users concerned that it'd be set up "soon".

It was solely my decision, and one that I was forced to make quickly, and I'll take complete responsibility for it.
I am truly sorry if the lack of embed feature comes as a major inconvenience until the proxy is set up.

While I do appreciate the situation you were in, I still believe it was a poor decision as now my, and many others' thread designs and signatures are unable to be accessed or viewed. I hope that at least some good comes out of this situation and in the future MCM will fix such security issues when first discovered instead of waiting for months after being initially disclosed (in this case, by Verringer) for it to be exploited before hastily removing a large aspect of the forums as a... let's say "less than optimal" attempt at damage control.

 

[Justis]

While I do appreciate the situation you were in, I still believe it was a poor decision as now my, and my others' thread designs and signatures are unable to be accessed or viewed. I hope that at least some good comes out of this situation and in the future MCM will fix such security issues when first discovered instead of waiting for months after being initially disclosed (in this case, by Verringer) for it to be exploited before hastily removing a large aspect of the forums as a... let's say "less than optimal" attempt at damage control.

If you need assistance converting from the img bbcode to attachments, please let me know, and I'll help you out.
The images are still accessible from the links that are currently filling in for the embedded image.

 

[1337]

If you need assistance converting from the img bbcode to attachments, please let me know, and I'll help you out.
The images are still accessible from the links that are currently filling in for the embedded image.

This wasn't the main point of my statement, I'm mainly pointing at the fact that instead of hastily having to come up with a last minute solution due to it being exploited months after disclosure, it should probably be taken care of beforehand and when first disclosed in the future, especially for matters related to user security. Would it be safe to say this would be a future goal of yours and the MCM team?

 

[Justis]

This wasn't the main point of my statement, I'm mainly pointing at the fact that instead of hastily having to come up with a last minute solution due to it being exploited months after disclosure, it should probably be taken care of beforehand and when first disclosed in the future, especially for matters related to user security. Would it be safe to say this would be a future goal of yours and the MCM team?

My apologies, I'd thought it would go without saying. However, after the failure to foresee the extent of the abuse, make the entire staff team and most importantly, administration aware of that fact, and then appropriately resolve it before these actions became necessary, I completely understand your assumption that it might not be implicit.
As a precautionary measure, I've updated our staff's guidelines to ensure that issues like this do not get left behind amidst the constant flood of ordinary reports and support requests in the future. Something I failed to do when initially drafting the guidelines.
It is without question that the fact that we had to resort to disabling the embed feature was due to our lack of foresight and diligence, and I have no intentions of reliving the embarrassment that is having needed to create this thread.