Postmill Deanonymization Attack concept. (you have nothing to worry about, just something i thought about)

Submitted by twovests in just_crime

Postmill works great without Javascript, but there are some comfort features. One is the Markdown preview on posts and comments, which renders Markdown for you live as you type.

But there is one problem: The Markdown renderer can be used to identify users across postmill instances. How?

  1. The Markdown renderer actually sends your text to the server to be rendered, returned back to you in HTML which is added to the preview using JavaScript.
  2. Text is sent when you stop typing for about half of second.
  3. Anything you type, even if deleted, is seen by the server.

The main concern is number 2. The server gets a pretty rich idea of how fast you type, how much you delete text, etc. This is information rich and, on top of text stylometry, provides enough bits to uniquely identify you among Postmill users. So, even though Postmill is open source, a server could run a modified version that records a users typings, for malicious reasons. You can't verify the code on the server is the same as that running in the source.

There's zillions of other attacks that use this kind of information to uniquely identify supposedly "anonymous" people.

Number 3 is a bonus, in case you ever accidentally type your SSN into jstpst. (I know I do, just for fun, and to show the admins I trust them.)

But, to be clear, you don't have anything to worry about.

  1. If you're on jstpst, you presumably trust the developer Emma, and the admins of jstpst. (I really do!)
  2. Your browser supplies plenty more information that would de-anonymize you. (Headers, IP address, plus the time of day you're posting.) So...
  3. Someone who would be deanonymized by this attack would be someone who accesses a compromised or malicious Postmill via Tor (or other means to hide their identifying bits) but doesn't disable JavaScript. Who would that even be?

If you are someone who makes serious efforts to access Postmill's anonymously, I'd recommend disabling Javascript. And if a random "radical leftist" approaches you on the internet, talking about committing violence with the same enthusiasm as Clippy and pointing to their cool new Postmill instance or Discord, then you should be suspicious.


You must log in or register to comment.


emma wrote (edited )

those other instances would also have to run versions of postmill released prior to february 2020

also i have to conclude no one is reading the intermediate markdown being sent to the server, as i have yet to be banned for my discarded aviation joke about 'airbussy'


twovests wrote (edited )

Oh that makes sense!! So even this extremely minor attack is not generally exploitable. Good to know c: