This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.
The best part is it also works on DMs, so it's trivial to get any persons IP address. Want an admins IP address? Just DM them a message with an embedded spy pixel.
I emailed the lemmy developers about this a few weeks ago since IMHO it's a pretty big security issue, no reply.
This is because librewolf reports itself as firefox for privacy, and vivaldi does the same thing with chrome. Their is no vivaldi string in their user agent.
Very interesting, I think I'll probably be using Tor for my Lemmy usage from now on, or at least a VPN since this does have the potential to be used maliciously in personal DDoS attacks.
Are you sure about that because I can open and view lemmy.world just fine in Tor, I think what they mean is federation between hidden services i.e. lemmyinstanceoniondomain.onion is blocked or just not implemented.
Right client, wrong operating system. It knows I'm using Leomard, but it thinks I'm on iOS. I suspect it doesn't handle architecture detection well on Apple Silicon machines.