An Image Tracker Experiment Revised.

I recently made a thread concerning what I call an "image tracker", and it seems perhaps I was a bit too bold in my presentation, this time I have not embedded my tracking image, so it's not possible I'm logging people.

My intention clearly is not to track people, I made this thread to point out how exceptionally easy it is for people to use a simple image to track people. Dynamic images like these are very common.

It would be as simple as pie for me to track people on ATS using these images if I wanted to. There's no way to tell if the dynamic image can track you. This is fairly common technical knowledge, and this is not a hoax.

I wouldn't have made this example application if I wanted to harvest data about members, so feel safe any data logged in my last thread is completely deleted. So now, lets discuss this rationally.

The reason people found this concerning is because simply loading my tracker image triggers a PHP script which generates the image and sends it back.

My tracker image then shows information such as your IP, Browser, OS, location etc. Obviously a real tracker image would just look like a normal image, as to avoid attention.

The point of real concern however, was that I could also tell the PHP script to save all this data to a database or file. In fact there was quite harsh skepticism surrounding this FACT.

By using the [ats] tag to embed it on an ATS thread, the referral URL also lets me see which page the person was on when they viewed the image. That means I've got their IP and the page they were looking at.

Basically, I can keep track of anyone who views my threads by embedding these images. My thread was obviously removed because I posted a simple image that had the ability to track people (no one would have known unless I told them).

Anyone could put these images in their signature or threads and there would be no way to tell if it's just a simple image, or if it's actually saving your information to a database every time you load it.

This is a problem with nearly all forums and many other websites that allow users to post images. So instead of blatantly ignoring this common information I think it deserves some consideration.

Link to dynamic tracking image (view at your own risk): www.imagetracker.co.cc...
**it will not log you, but there's no way for me to prove that**
**lots of websites log your visit anyway**
**if you don't trust me don't click the link**

I clicked on it ...

and it was dead accurate..

pretty cool...

in a sinister kind of way....

reply to post by WhizPhiz


So, now that we know they are there, what do we do about them? From what I understand, utilizing free proxy servers can be just as much a security risk, as not. Would you please give the readers alternatives, should they decide to investigate further?

reply to post by LadySkadi

So, now that we know they are there, what do we do about them?

You can't really do anything about them, that's what sucks. These images are used all over the internet, so unless you want to disable images all together, the risk will remain. These types of tracking images are commonly used in emails to detect when you open it and read it.

From what I understand, utilizing free proxy servers can be just as much a security risk, as not. Would you please give the readers alternatives, should they decide to investigate further?

Yes, proxies can be dangerous, and I wouldn't really recommend using them. The easiest way to avoid tracking via this method is to change your IP on a regular basis (you will still be logged obviously). That's a bit troublesome for some people though, and I'm sure their are other ways to hide/change your IP. All your locational data is drawn from your IP, but the browser and OS details aren't. Even I don't have a reasonable solution to this. Normal page scripts are easy to stop, but PHP is server side, you can't stop it.

reply to post by WhizPhiz


That resulting image says "Log time: 2011-04-03 01:19:30 PM [UTC]", but it's (was) 19:19 here in Portugal.

The city is also wrong, but all sites that try to find my location fail.

reply to post by ArMaP


I think the time is taken from the server. It's possible the server time is set incorrectly, I never paid much attention to it. BTW, is it possible to get this thread moved out of the off-topic forum, I wanted to keep it on the down low since a lot of people seemed to freak out last time, but now it seems to be getting virtually no response.

reply to post by WhizPhiz


The server answered "Sun, 03 Apr 2011 19:51:54 GMT", so I guess it must be something else.

And I think this is on the right forum, it's not a conspiracy, it's a technical thing.

reply to post by ArMaP

The server answered "Sun, 03 Apr 2011 19:51:54 GMT", so I guess it must be something else.

Oh, that's odd, I simply used date_default_timezone_set('UTC'); because I thought that would set the server time to UTC. Then I used date('Y-m-d h:i:s A').' [UTC]'; in order to get the date. I'm not quite sure what's wrong with that. It's obviously because I'm adding UTC to the string manually but the date function isn't giving me UTC time.

And I think this is on the right forum, it's not a conspiracy, it's a technical thing.

Fair enough point.

EDIT: I actually just looked at the time on the tracker image and it's correct for me. Odd.

reply to post by WhizPhiz


Are you in the same time zone as the server?

reply to post by ArMaP


Nope, I'm in Australia, the server is in the US some where.

reply to post by WhizPhiz


Another ATSer used to have this link on their siggy line.

IP Banner

This one doesn't require you to open anything or save anything, it just shows your IP address, and a little info. I thought it was pretty cool!

I want to add something here.

Firstly, Whiz, you got me I honestly thought the images on here would have resolved to ATS and not the machine viewing them. SO in that you are owed an apology from me.

However, unless you were to specifically target people in U2U, you would never be able to put an IP to a username. Unless you were very lucky and they posted to reveal who it was that was actually viewing.

So in a large thread you'd receive dozens of not more IP addresses.

While this can be in and of itself negative for the overall members, it is only with a singled out individual can you retrieve the IP in conjunction with the user.

For those thinking the details you see linked in the Image are nifty - there are many services that you can use in order to get information about an IP - and as Armap stated, not all of it is accurate.

I'm sure Whiz coded his however, and knowing the method he uses, I know it is indeed possible.

Infact, you wouldn't even be aware of it should someone use a transparent 1x1 pixel image in their signature.

The signature is not revealed in code should someone quote the reply. So you'd never know your IP was sent by merely looking at a thread let alone they had an image that was invisible.

Again Whiz, my apologies for my misconception. You were half right, but had you not U2U'd me, you'd still never have been able to prove to me as you did

I take that as a lesson learned - hello constant proxy !!

lol

reply to post by badw0lf

Firstly, Whiz, you got me I honestly thought the images on here would have resolved to ATS and not the machine viewing them. SO in that you are owed an apology from me.

Thank you for being able to apologize and correct yourself. You just went back into my good books. Another lesson you might want to take from this, is to remain cool headed until you absolutely know you are correct.

However, unless you were to specifically target people in U2U, you would never be able to put an IP to a username. Unless you were very lucky and they posted to reveal who it was that was actually viewing.

Yes, that is something I can't do, I can't actually connect IP's to ATS usernames. I have thought of ways it might be possible, but it seems unlikely.