跪拜 Guibai
← All articles
Backend · Frontend · Hacking

External Image URLs as Avatars Are a Wiretap on Every Visitor

By AsherJ ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

A single user-submitted external URL turns every page view into a privacy leak and every server-side fetch into a potential SSRF pivot. The Capital One breach and GitHub's 2017 SVG XSS fix show these are not theoretical; the attack surface closes only when the platform rehosts the image itself.

Summary

An external avatar URL is an HTTP request the browser must make, and the remote server can log the visitor's IP, User-Agent, and Referer on every page load. That tracking pixel is the mildest risk. The same URL can return a 10 MB payload to burn mobile data, stall the connection pool with an 8-second delay, or swap a normal photo for gore or propaganda overnight.

On the server side, fetching a user-supplied URL to cache or thumbnail the image opens a direct SSRF vector. A 302 redirect to 169.254.169.254 can hand over AWS metadata credentials, the same pattern that cost Capital One $80 million in 2019. SVG files add another layer: they pass as images but execute scripts when loaded through <object>, <iframe>, or an inline renderer, turning any preview or admin panel into an XSS entry point.

The only durable fix is server-side download, IP validation, magic-number check, decode-and-redraw, and rehosting on a CDN you control. Every major platform from GitHub to WeChat already does this; forums that still accept raw external URLs are running the full set of risks live.

Takeaways
Every <img> tag to an external URL leaks the visitor's IP, User-Agent, and Referer to the image host, enabling cross-page behavioral tracking.
An attacker can swap the image content at any time without changing the URL, bypassing any frontend-only moderation.
Chrome, Firefox, and Safari have blocked cross-origin subresource Basic Auth popups since 2018, but the underlying CVE-2017-15400 shows how close this came to a universal phishing primitive.
Server-side avatar fetching without redirect and IP validation is an SSRF vulnerability; hitting AWS 169.254.169.254 or GCP metadata endpoints exposes cloud credentials.
Slow responses and oversized payloads from external image URLs can exhaust browser connection pools or backend thread pools, degrading service for all users.
SVG files are XML documents that execute JavaScript when loaded via <object>, <iframe>, or inline rendering, even though <img> sandboxes them safely.
GitHub's 2017 emergency patch blocked SVG XSS in README files after attackers embedded <foreignObject> to run full HTML and scripts.
The only complete defense is server-side download, protocol and IP whitelisting, magic-number validation, decode-and-redraw, and rehosting on a first-party CDN.
Conclusions

Browser vendors have been forced to patch around the external-URL problem piecemeal — blocking Basic Auth on subresources, enforcing nosniff on images — but the fundamental IP leak is unfixable because it is baked into TCP/IP.

The SVG XSS vector is especially dangerous because it survives a naive server-side 'download and save' step; the file looks valid and renders safely in an <img> tag, only to execute when any other render path touches it.

Capital One's $80 million fine makes SSRF via user-supplied URLs one of the most expensive bug classes in web history, yet many applications still fetch avatar URLs without validating the resolved IP.

The gap between frontend-only mitigations (referrerpolicy, crossorigin, CSP) and a full rehosting pipeline is the difference between feeling safe and actually removing the attacker's server from the request path.

Concepts & terms
Tracking Pixel
A 1x1 transparent image hosted on an attacker-controlled server. When the browser loads it, the server logs the visitor's IP, User-Agent, Referer, and timestamp, enabling cross-page behavioral tracking.
SSRF (Server-Side Request Forgery)
An attack where the server fetches a URL supplied by the user. If the URL points to internal infrastructure (localhost, cloud metadata endpoints, internal admin panels), the attacker can read sensitive data or execute commands that are normally inaccessible from outside.
Magic Number Validation
Checking the first few bytes of a file against known signatures (e.g., FF D8 FF for JPEG) to confirm the actual file type, rather than trusting the Content-Type header or file extension.
SVG XSS
SVG files are XML documents that can contain <script> tags. When loaded via <object>, <iframe>, or inline embedding, the JavaScript executes in the page's origin, enabling cookie theft, keylogging, and DOM manipulation.
Decompression Bomb
A small compressed file (e.g., a 1 KB GIF) that expands to gigabytes of pixel data when decoded, exhausting server memory and causing an out-of-memory crash.
Source: juejin.cn ↗ Google Translate ↗ Backup ↗