Possible security issue with images

Kyrne

Today, a user posted a photo on a discussion that had a grabify link that was an image. Flarm auto loaded that image for everyone, and everyone who viewed that discussion, had their ip sent to the guy. Any idea how I could prevent this in the future?

webeindustry

Kyrne

What is an "up"? ~~Do you mean user password?~~

jordanjay29

He means IP. Typo. From chat:

Charlie @issyrocks12
Flarum auto loads images, if it's grabify, all the ips of people who visit the forum are sent to the person

webeindustry

That's the main feature of grabify, apparently.
http://grabify.link/

jordanjay29

webeindustry Correct. Not exactly a security problem with Flarum but rather with allowing random internet services to exist.

If someone wanted to solve this, they could probably write an extension to ban the list of links grabify uses. But it would likely need constant updating to stay ahead of their list. The other thing to do could be to have a proxy visit the link, grab the right one, and replace the posted link with that, removing the grabify service and only sending the server's IP in its stead.

But any other service that does this same thing could be used instead. Or a homebrew service you host yourself.

Kyrne

User posted a goo.gl link that redirected to grabify, then to another site.

Here is the URL trace: (promise this isn't a grabify link)

Kyrne

jordanjay29 the proxy would work the best. Maybe route the images through the server, I don't mind my server ip getting out.

Davis

This is sort of a fundemental issue with forums. There's not much to do unless you go the GitHub route and transfer linked images to a self managed cdn, but such a extension hasn't been created and would probably cost more than its worth.

jordanjay29

Kyrne You'd probably want the kind of thing Davis was describing, because again you're still playing a cat and mouse game with grabify and other similar services. Better to kill all external images and host them yourself than to play with fire that way.

Davis

Kyrne I don't mind my server ip getting out.

Your server IP is always going to be publically available.

Kyrne

jordanjay29 how would I go about this?

0E800

There alot of other ways to include pixel trackers in the forum. You can prevent some by not using signature extension, only using imgur for image upload and not letting users post without first being approved.

If there was a whitelist extension that blanketed the whole forum, that would be super. Ie: no links load unless they are on the whitelist

Kyrne

0E800 I would love to force all img links to be imgur.

Davis

0E800 If there was a whitelist extension that blanketed the whole forum, that would be super. Ie: no links load unless they are on the whitelist

He said the URL was shorted with a google link, so good luck with that seeing as how many URL shorteners exist today.

Kyrne

Davis maybe an extension to force all images to be loaded via imgur, or blacklist domains

0E800

Yeah, that only works when users upload. Nothing is stopping anyone from entering bbcode to a pixel tracking link. You really aught to make an example of users trying hack other users by banning them.

Or posting the banned users ip and email address like small shop owners do with shoplifters caught on cam.

Kyrne

0E800 we need an IP ban options, but then some of us use cloudflare...

0E800

I also have the same probs. I want users to be able to post images and links but don't want them hacking other users .. especially with a infosec forum.

Kyrne

0E800 I'm mainly looking for a domain whitelist extension, only allow a few links to be posted.

clarkwinkelmann

Like I did in a few threads now, I'd suggest using CSP headers.

If you care about your users' security you should probably be using them anyway. It's just sadly not very integrated with Flarum yet.

Kulga

clarkwinkelmann Do CSP headers ensure only certain domains can show images on a forum?
I was under the impression CSP headers were being used to ensure https encryption.

While important in its own sense, it won't protect you from a malicious end-party, since https just protects the passage from point A to B.

Kyrne

clarkwinkelmann Thank you! I can confirm that this fixed my problem