Embedded images and your privacy

Status
This thread has been locked.

1337

ash is our purest form
Supreme
Feedback score
159
Posts
1,540
Reactions
1,523
Resources
0
My apologies, I'd thought it would go without saying. However, after the failure to foresee the extent of the abuse, make the entire staff team and most importantly, administration aware of that fact, and then appropriately resolve it before these actions became necessary, I completely understand your assumption that it might not be implicit.
As a precautionary measure, I've updated our staff's guidelines to ensure that issues like this do not get left behind amidst the constant flood of ordinary reports and support requests in the future. Something I failed to do when initially drafting the guidelines.
It is without question that the fact that we had to resort to disabling the embed feature was due to our lack of foresight and diligence, and I have no intentions of reliving the embarrassment that is having needed to create this thread.
I think that's the best answer I've ever seen on MCM in regards to an issue from a staff member, I hope you mean what you're saying and that this is an isolated incident. I appreciate the fact you genuinely admitted to a mistake instead of trying to play it off :tup:
 

Harry

Rustacean
Management
Feedback score
10
Posts
1,606
Reactions
876
Resources
0
I think that's the best answer I've ever seen on MCM in regards to an issue from a staff member, I hope you mean what you're saying and that this is an isolated incident. I appreciate the fact you genuinely admitted to a mistake instead of trying to play it off :tup:
I have to agree, as throughout the incident, Justis kept me informed of his actions, and took the time to read my long/detailed messages via DM, discussing the situation as a whole while actually trying to find a temporary solution, and explaining the situation to anyone else involved.

I must commend him for that as it must have been a stressful and time-consuming incident to deal with.
 

Theo J

Entrepreneur | IB/CS Student
Supreme
Feedback score
38
Posts
1,405
Reactions
960
Resources
0
The proxy will be set up very soon, hopefully within the next few hours. We apologise for the delay in fixing this issue and would like to emphasise that user security is our top priority.
"Few" a.k.a. 2-3.
Posted at 4:45 PM PT, Currently 11:45 PM PT. Nice!
 

Harry

Rustacean
Management
Feedback score
10
Posts
1,606
Reactions
876
Resources
0
"Few" a.k.a. 2-3.
Posted at 4:45 PM PT, Currently 11:45 PM PT. Nice!
Yeah, but as the vulnerability aspect of the situation has been dealt with, there's no need for them to rush a proxy out, that could have a similar vulnerability if not implemented correctly.

For the moment, attach images to the thread, or use https://imgur.com as it's currently supported.
 

Stefatorus

Experienced Java Developer & SysAdmin
Premium
Feedback score
7
Posts
0
Reactions
99
Resources
0
In my opinion, the fact that third-party-images are currently only shown as links affect Larger Resource authors due to the fact that it would take ages for us to convert everything to attachments. I, for example have all my pictures for my resources on my home server; not on imgur , so it would take the conversion of at least 20 images to completely go through all the things i had put up here.

). Hosting a proxy on a remove machine seems easily done and i can't understand why it would take more than 5 hours to implement one.
 
Last edited:

Harry

Rustacean
Management
Feedback score
10
Posts
1,606
Reactions
876
Resources
0
In my opinion, the fact that third-party-images are currently only shown as links affect Larger Resource authors due to the fact that it would take ages for us to convert everything to attachments. I, for example have all my pictures for my resources on my home server; not on imgur , so it would take the conversion of at least 20 images to completely go through all the things i had put up here.

). Hosting a proxy on a remove machine seems easily done and i can't understand why it would take more than 5 hours to implement one.
As stated, this is a temporary solution though, and it's inconvenient but for the moment, it protects the data of everyone.

Maybe leave the links as is until the image proxy is added.
 

Stefatorus

Experienced Java Developer & SysAdmin
Premium
Feedback score
7
Posts
0
Reactions
99
Resources
0
As stated, this is a temporary solution though, and it's inconvenient but for the moment, it protects the data of everyone.

Maybe leave the links as is until the image proxy is added.
Yeah, i guess it's fine as it's a temporary solution. I just hope that i won't have to do the work manually after the change is done.
 

Harry

Rustacean
Management
Feedback score
10
Posts
1,606
Reactions
876
Resources
0
Yeah, i guess it's fine as it's a temporary solution. I just hope that i won't have to do the work manually after the change is done.
You shouldn't have to, and that's my understanding from talking with Justis.

Once the image proxy has been added, all previous images should work as usually, but displayed via a proxy to prevent this vulnerability.
 

Medi

Bot Developer
Premium
Feedback score
27
Posts
393
Reactions
171
Resources
1
As some of you may have noticed from our recent tweet, we've disabled the embedding of images from untrusted sites for the time being. I'm here to elaborate for those concerned.

When you visit any website, you expose your ip to that website.
This is because you're downloading information from its host, their web page's html, css, images/media, etc.

Alongside attachments, which allows users to upload their images and attach it to their posts, it has long been a feature where users were able to embed externally hosted images via the img tag. Meaning viewers of the image would download the image from the place of origin and it would be placed in that spot on the post.
That embedding feature is what's been temporarily disabled, and is why most of your images will now only display as a link to those websites.
A reminder that you may still use our attachment feature. If you embed external images in your product/service threads, please swap them out for attachments for the time being.

The concern is that because you download the images as soon as you load the page, rather than being able to see the link and decide for yourself whether or not you want to visit and expose your ip address to that website, you may potentially be exposing your ip to those you'd rather not have it.

Unranked members reading this may have noticed that their ability to send private messages was previously disabled. This was a precautionary means of preventing the possibility of users joining our site to target our users by sending them private messages with embedded images that make a point in actually recording/logging the ips visiting it, thus being able to associate the ip with a particular member.
The ability to associate it with someone is why conversations were disabled specifically, which was not a concern for anywhere else on our site, where the viewers of the media is not isolated to anyone in particular.

Threads regarding this abuse method were previously deleted from public view while Jayson and I worked out a more satisfying temporary solution to the potential privacy concern. (The disabling of embedded images from untrusted sites).
As many of you realize, there is no place that malicious and toxic people get drawn to more than places where they can gain attention and controversy.
In order to prevent those with bad intentions from being encouraged to abuse the privacy of their fellow MCM users through those disclosing the means of doing so via threads, these threads were removed until the embedding had been disabled.

I've personally sent out private messages to many of those who seemed concerned in these threads, and apologized. All were cooperative and I'd like to thank you guys sincerely for that.

I'd like to clarify to a few people who seemed to believe that perhaps MCM's database had been breached. This is not the case at all. Embedded external images have been a long standing unquestioned feature used by and for our community. It is merely the possibility of targeting via this feature that has resulted in these actions.
Your privacy and security is always our greatest concern.

Mick will be setting up a proxy for MCM as soon as he becomes available, which will allow the use of the embedding external images while shielding the privacy of our members by hiding your ip behind our own proxy's ip.

Thank you for understanding and your patience in the meantime.
If you have any concerns, I'm happy to address them.
upload_2018-11-15_7-14-1.png
Yep quality work
 

Attachments

  • upload_2018-11-15_7-14-1.png
    upload_2018-11-15_7-14-1.png
    25.2 KB · Views: 176

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Mick will be setting up a proxy for MCM as soon as he becomes available, which will allow the use of the embedding external images while shielding the privacy of our members by hiding your ip behind our own proxy's ip.
God no. By doing this, MCMarket will pull all images instead so you'd directly be exposing your server IP to the public rendering Cloudflare's DDoS protection useless.

If ya'll actually listened to the community this would have been handled ages ago: https://www.mc-market.org/threads/314402/#post-3450722

Whatever you do, just using the Xenforo's built in proxy feature without any additions will result in a far more security concern for MCM.

What about getting someone who actually knows what they are doing to set it up.
 

Jayson

Supreme
Feedback score
17
Posts
1,258
Reactions
741
Resources
0
God no. By doing this, MCMarket will pull all images instead so you'd directly be exposing your server IP to the public rendering Cloudflare's DDoS protection useless.

If ya'll actually listened to the community this would have been handled ages ago: https://www.mc-market.org/threads/314402/#post-3450722

Whatever you do, just using the Xenforo's built in proxy feature without any additions will result in a far more security concern for MCM.

What about getting someone who actually knows what they are doing to set it up.
Don’t worry, we’ve already addressed that and we’ll be using an external proxy hosted on a separate server.
 

Harry

Rustacean
Management
Feedback score
10
Posts
1,606
Reactions
876
Resources
0
God no. By doing this, MCMarket will pull all images instead so you'd directly be exposing your server IP to the public rendering Cloudflare's DDoS protection useless.

If ya'll actually listened to the community this would have been handled ages ago: https://www.mc-market.org/threads/314402/#post-3450722

Whatever you do, just using the Xenforo's built in proxy feature without any additions will result in a far more security concern for MCM.

What about getting someone who actually knows what they are doing to set it up.
As Jayson said, they've already figured out the best way to implement this and, I'm pretty sure it has already been mentioned in the thread that an external proxy will be used.

Image proxying was never enabled due to the exact reason you've just mentioned.

Furthermore, your thread regarding the proper implementation of SSL though related, didn't actually grasp the security vulnerability that has sparked this entire situation.
 

y0jJJyeDYzRTYomFX

Deactivated
Feedback score
16
Posts
209
Reactions
616
Resources
0
My thread is now 100% sexier.
t2osd.png

Jokes aside, it's nice to see MC-Market is taking a stance on privacy and security.
 

Attachments

  • t2osd.png
    t2osd.png
    192.2 KB · Views: 147

Ivain

Master Terraformer
Supreme
Feedback score
45
Posts
9,610
Reactions
4,888
Resources
0
So I've got a bit of a question regarding this. I'm no expert, but do "tracker blocker" addons like Blur or PrivacyBadger negate the IP-logging effect of embedded images, or not?
 

Jayson

Supreme
Feedback score
17
Posts
1,258
Reactions
741
Resources
0
So I've got a bit of a question regarding this. I'm no expert, but do "tracker blocker" addons like Blur or PrivacyBadger negate the IP-logging effect of embedded images, or not?
If I remember correctly, their more focused on blocking the act of tracking through cookies and sends do not track signals (which websites don’t have to comply by).
 

Stefatorus

Experienced Java Developer & SysAdmin
Premium
Feedback score
7
Posts
0
Reactions
99
Resources
0
So I've got a bit of a question regarding this. I'm no expert, but do "tracker blocker" addons like Blur or PrivacyBadger negate the IP-logging effect of embedded images, or not?
The way the malicious users abused of the issue was that they had the images on their own servers, which they could then use to log the IP's of the people viewing an image. Depending on the target audience (eg: Images in private chat), the person could associate the IP's of the people seeing the image and the people that have access to see that image.

Definitely needs some effort put into it but it does pose a security risk due to DOX-ing; DoS-ing, etc.
 

NickE

Read my signature
Premium
Feedback score
23
Posts
686
Reactions
176
Resources
0
Don’t worry, we’ve already addressed that and we’ll be using an external proxy hosted on a separate server.
people will know the seperate server's ip, so rip mcm images?
 
Status
This thread has been locked.
Top