Posted automatically (#46640) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
Its been used here to fake usernames as well. One of the shitposting subs had their names swapped to the names of all the PV mods to make it look like we were posting porn at one time.
Ok, I can confirm that this is active in typogra and cashmere styles which are on all the subs I mod (only one is really active I think). What's the fix?
Yeah seriously. You can link to any site via font and image URLs with custom CSS, and the owner of that server can theoretically track you. I have no idea what kind of tracking Google might actually do on its googleapis.com server, but a malicious person who wants to get your IP can definitely do so by getting you to click a link to their subverse if you have custom CSS enabled.
@PuttItOut Have you done any work towards preventing this kind of abuse with custom CSS? By strictly preventing all links in CSS, or possibly by whitelisting certain trustworthy domains? I know reddit implemented something to prevent this, along with their own mechanism for uploading custom graphics that you could reference instead, but most of that became obsolete with their new version since it had a lot of built-in options for customizing the appearance instead of using CSS. I wouldn't expect anything that elaborate for voat, but a simple link filter or whitelist would solve the problem.
Will the (currently disabled) packages feature replace custom CSS? Seems like it might based on the "new" and "old" in the links. If so, you're probably already on it.
A sanitizer that cached public domain sources, and blocked others would be good. I will write it if @PuttItOut wants. I have 14 years of C# web development including core MVC, and I have already been over the core version of his codebase.
if such high profile users are doxxed. The folks at GA and PG immediately come to my mind, since those subverses are most heavily shilled. If the real IPs of the researchers from the two subverses were obtained, people with resources would be able to identify those users' locations, which would lead to their real identities
The line about pizzagate and greatawakening might be even more relevant now considering recent events.
I don't see a difference between letting google know and letting imgur or whatever imagehost know these things. If you want CSS on, you're kinda opening yourself up to that either way. If I removed that I might as well remove all the image CSS of GA and I don't think anyone on the sub really wants that.
His whole ing reminds me of the "zomg sbbh is doxxing ips via css!!" bs from a couple years ago.
If I'm looking at it eight, the google thing just does a certain font. We can change fonts without issue. Is there anything else the google link even does?
FuzzyWords once posted a link with something like &min=css at the end which was like some kind of word wrap for the stylesheet. The internet isn't helping me out either. I had it saved on my old account but I'm locked out of that.
Nah. It was copypasted in from another sub before I was even designer. It had a full CSS, but I was brought in to make tweaks like "this color is dark, can you change it to this bright blue?"
These two styles were shipped around by some CSS people when Voat started and reused and altered over time so I think the googleapis link comes from there. Whoever made GA probably just copy/pasted it from a more popular sub and wasn't aware. So I doubt very much its been a deliberate change by anyone.
At best it's a fuck up due to naivete. I'm willing to accept that as the case; shit happens, thankfully, @Crensch is making changes as per best practice.
Np. Just read the rest of the comments because there's probably a lot of people weighed in on this now and they might have it sorted. I won't get time to read it all today.
SearchVoatBot ago
This submission was linked from this v/whatever submission by @Delacourt.
Posted automatically (#46640) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
GrandNagus ago
Imagine using custom CSS, all it does is clutter shit and move buttons for no fucking reason.
Durm ago
The CSS cries out as it strikes you
Cincosiber ago
I've turned off show custom css in my voat options.
I am happy with the default night mode theme. Voat isn't ugly. Sounds like a doofus option to me. Has custom css ever been useful to anyone?
Tzitzimitl ago
SRS on reddit loves it, because they can do all sorts of neat shit with it, like making the downvote button give a comment an upvote and viceversa
expose ago
thanks bud guessing voat too so i turned it off everyone should
Dismember ago
Its been used here to fake usernames as well. One of the shitposting subs had their names swapped to the names of all the PV mods to make it look like we were posting porn at one time.
WORF_MOTORBOATS_TROI ago
Does this mean that I can claim to have superior opsec because I always turn off custom css?
GrandNagus ago
I like my UI the same everywhere I go, fucking custom CSS is the worst, it only serves to clutter.
WORF_MOTORBOATS_TROI ago
Yeah but what if all your upvotes were nagus_staff but your downvotes were scared_quark.png? It would be so lulzy!
GrandNagus ago
Haha so true! xD
Questionable_1 ago
This guy practices tight comsec ⤴⤴⤴does this track all users of said sub? Because I dont want gmail knowing about my voat usage
Dismember ago
Do you trust Google NOT to cross reference your IP calls to their servers? I don't.
glassuser ago
You don't have that domain blocked on your devices and networks?
7e62ce85 ago
If you do not use VPN or TOR and think you can be anonymous online you belong in the short bus.
Maybe at most your boss and the local mayor won't know what you are doing with a little care, but everyone else above will be tracking you.
Broc_Lia ago
Ok, I can confirm that this is active in typogra and cashmere styles which are on all the subs I mod (only one is really active I think). What's the fix?
absurdlyobfuscated ago
Yes, delete this part to fix it:
@import url("https://fonts.googleapis.com/css?family=Roboto:400,400italic,500,700,700italic");Up to and including the semicolon.
Dismember ago
@clamhurt_legbeard
Broc_Lia ago
Grand so, easy fix.
sbt2160p ago
Thank you
MrPim ago
Turn off custom CSS you retarded fucks.
expose ago
thanks bud turned it off in manage settings.
sguevar ago
Done since the first time I joined Voat.
VicariousJambi ago
I disabled it my first day, i forgot you could even have a custom css
absurdlyobfuscated ago
Yeah seriously. You can link to any site via font and image URLs with custom CSS, and the owner of that server can theoretically track you. I have no idea what kind of tracking Google might actually do on its googleapis.com server, but a malicious person who wants to get your IP can definitely do so by getting you to click a link to their subverse if you have custom CSS enabled.
@PuttItOut Have you done any work towards preventing this kind of abuse with custom CSS? By strictly preventing all links in CSS, or possibly by whitelisting certain trustworthy domains? I know reddit implemented something to prevent this, along with their own mechanism for uploading custom graphics that you could reference instead, but most of that became obsolete with their new version since it had a lot of built-in options for customizing the appearance instead of using CSS. I wouldn't expect anything that elaborate for voat, but a simple link filter or whitelist would solve the problem.
Will the (currently disabled) packages feature replace custom CSS? Seems like it might based on the "new" and "old" in the links. If so, you're probably already on it.
progressbin ago
A sanitizer that cached public domain sources, and blocked others would be good. I will write it if @PuttItOut wants. I have 14 years of C# web development including core MVC, and I have already been over the core version of his codebase.
progressbin ago
Thank you! Also a good ProtectVoat PSA.
Dismember ago
Seems like a good flair for this sub to have.
MrPim ago
BUT MAH PRETTAH PITURS
Vladimir_Komarov ago
looking at you v/soapdoxbanhammer
MadWorld ago
This is totally a legit concern. In addition to your IP address, your Voat's timestamp can now be used to make educated guess of your Voat's username.
Relevant submission: https://voat.co/v/ProtectVoat/3001782/16431060
expose ago
holy shit incredible work you did a sick job man you're my new favorite poster how'd you do that?
offender ago
And voat has a few exploits that are still unpatched.
expose ago
how to protect myself? i got shills on my back and don't want a virus.
offender ago
Use noscript and you'll be better protected.
Dismember ago
The line about pizzagate and greatawakening might be even more relevant now considering recent events.
@HeyGeorge @clamhurt_legbeard do you see anything that might be a problem in those two subs CSS?
heygeorge ago
No, there is no google nor any outbound links in the PG subverse CSS. GA definitely has some of that junk.
Dismember ago
@vindicator just a fyi ping but your sub seems ok
Vindicator ago
Thank you. @Crensch see parent. You might want to make sure the CSS is okay in GA...not sure which goats helped srayzie put that together.
Crensch ago
I don't see a difference between letting google know and letting imgur or whatever imagehost know these things. If you want CSS on, you're kinda opening yourself up to that either way. If I removed that I might as well remove all the image CSS of GA and I don't think anyone on the sub really wants that.
Maybe @MadWorld or @progressbin or @clamhurt_legbeard could weigh in?
clamhurt_legbeard ago
His whole ing reminds me of the "zomg sbbh is doxxing ips via css!!" bs from a couple years ago.
If I'm looking at it eight, the google thing just does a certain font. We can change fonts without issue. Is there anything else the google link even does?
Dismember ago
https://voat.co/v/greatawakening/stylesheet?minimized=false
https://voat.co/v/pizzagatestylesheet?minimized=false
Someone also found adding
?minimized=falseto the stylesheet makes things a lot easier to read. Maybe throw that link somewhere easy to remember.Vindicator ago
I'd love to, if I had the slightest clue what it meant, LOL.
Dismember ago
Yea, well that makes two of us. All I know is adding that bit at the end changes a mess into something readable.
Dismember ago
Thanks. Do you remember how to link to a sub's CSS btw?
I still haven't forgiven you for posting my picture on your sub the other day either.
heygeorge ago
I reported it to admin as dox, I’m sure they’ll get around to removing it and permabanning me as soon as time permits.
I reported it to admin for dox, I suppose they will get around to it in time.
https://voat.co/v/pizzagate/stylesheet
https://voat.co/v/greatawakening/stylesheet
Dismember ago
FuzzyWords once posted a link with something like &min=css at the end which was like some kind of word wrap for the stylesheet. The internet isn't helping me out either. I had it saved on my old account but I'm locked out of that.
clamhurt_legbeard ago
I fucking hope not, I'm designer on GA, but I didn't make the original. I came later.
Lemmie see...
Yup, it has Google.
u/progressbin what do you suggest instead?
Vindicator ago
Interesting. I wonder who helped srayzie with that code?
argosciv ago
o_o
It sure as shit wasn't me.
I don't know for certain if that particular link would record IPs, but, being wary as a default position is warranted.
Now...
Who did make the change which imported the font from google?
Was it you, @clamhurt_legbeard? Be honest, mate. (not an assumption to the worst, genuinely asking you to be forthcoming)
clamhurt_legbeard ago
Nah. It was copypasted in from another sub before I was even designer. It had a full CSS, but I was brought in to make tweaks like "this color is dark, can you change it to this bright blue?"
Dismember ago
https://voat.co/v/ProtectVoat/3265369/19064427
These two styles were shipped around by some CSS people when Voat started and reused and altered over time so I think the googleapis link comes from there. Whoever made GA probably just copy/pasted it from a more popular sub and wasn't aware. So I doubt very much its been a deliberate change by anyone.
argosciv ago
At best it's a fuck up due to naivete. I'm willing to accept that as the case; shit happens, thankfully, @Crensch is making changes as per best practice.
Best practice being: no google, no imgur, etc.
Dismember ago
@MolochHunter @bopper just so you are aware ^
there might be some type of solution in the thread here.
MolochHunter ago
thx fella, taken under advisement
Dismember ago
Np. Just read the rest of the comments because there's probably a lot of people weighed in on this now and they might have it sorted. I won't get time to read it all today.
Dismember ago
Thanks btw.
clamhurt_legbeard ago
yw
Dismember ago
@kevdude
ParsedOutput ago
And cross reference this ip to get the history they have on it/you. If you have youtube/google account, the kikes know that you frequent here.