Disabling Media autoplay doesn't stop static images. Allows for Tracking pixels and exposing other users IP addresses.
expected
nu11value Resident
Create 3 prims. On each prim select the top face and in Texture/Media set homepage url to these urls in each prim respectively. Keep Auto play media and Auto scale media checked.
Urls:
Any url to a youtube video.
https://github.com/IouSASTU/MP3/raw/main/nono_square_alert.mp3 <-- link to a mp3 file
https://pastepixel.com/image/QCHnqZeEYp7eFQbB6h2f.png <-- static image that is a tracking pixel.
(When trying to reproduce this, you'll need to supply your own tracking pixel url - this url is disabled but was used to test)
Go into preferences - sound and media - set Media auto-play to disabled
Take all 3 prims into inventory and then drag each out of inventory to the ground.
With media auto-play set to disabled, the prim set to a youtube link will do nothing, the prim with the mp3 url with also do nothing, but the last prim with the url to a static image will play. It will display the tracking pixel on the configured face.
A user trying not to expose their IP address normally can set Media auto-play to disabled. This will prevent your IP being discovered by steaming media where the owner of the media has access to the server streaming the media and looking at the connection logs. This setting allows users to decide when they are okay to expose their IP address - example at a music event they trust.
However, since the static image still loads, it means rezzing a prim configured with a tracking pixel into a region in MOAP, will result in all users in the region connecting to the tracking pixel server. Owner of the tracking pixel can then gather IP address and system information from everyone in the region regardless of their Media autoplay setting.
Example:
Date 01:14 PM 8/12/2024
IP-address 77.64.254.245
User-agent Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) (Dullahan:1.12.4.202209142021 [64bit] - SecondLife/6.6.17.70368 (Firestorm-Releasex64; firestorm skin)) Chrome/91.0.4472.114 [64bit] Safari/537.36
Device Browser: Chrome (91.0.4472.114) - OS: Windows (8) - Device: Unknown
Location Germany (DE)
Testing this, the targeted users have shown up in the tracking pixel console regardless of viewer. This includes the official viewer running on windows. Test users disabled media autoplay in their respective viewers.
If this is a bug with the Media autoplay setting please could this setting treat any url the same - static images don't load as video and mp3 don't load when Media Autoplay is disabled.
Log In
Atlas Linden
expected
Whirly Fizzle
nu11value Resident
Final update:
Created another tracking pixel on Paste Pixel. This time I paid more attention to timing. I created a new prim, and configured the url in Texture/media on the top face of the prim. Checked the Paste Pixel console - confirmed it logged connections. Took the prim into inventory. Dragged it to the ground. Checked the console and did not get any new logged connections.
Media autoplay = disabled does not apply when you're creating the prim. You'll do a connection as it previews the url in the edit menu. Then when you close the edit menu, I think it creates a second connection as in my log for this new pixel I created for this test I see multiple connections that all occurred during the time I was creating the prim. All these connections are my own IP as I'd expect.
So at least now I cannot reproduce the MOAP autoplaying on rez with Media autoplay set to disabled.
I had created several tracking pixels over time to test this, and they are full of connection logs. For my own IP in those logs, I'm now thinking these are connections created during the creation of the prim as I saw in my last test. For the IP entries of other people, I'm now not confident that when I asked the other users to confirm if they had Media autoplay disabled, that it was actually disabled for the test.
I appreciate everyone who took time to consider the issue I was presenting. I did do this in good faith, but I now see I made mistakes testing this and came to the wrong conclusion about what was happening.
LL I think this Canny can be closed.
Atlas Linden
nu11value Resident: Thanks for looking further into this!
We also experienced this behaviour you've described above and as such this report will be closed as Expected.
nu11value Resident
Because I thought this information was sensitive, I submitted this as a support ticket - #2238655. I was told I should submit this to security@lindenlab.com.
The response I got from security was this was the normal behaviour for MOAP and this setting. I am not sure if it was not understood that Media autoplay was disabled and the url to the static image tracking pixel was still autoplayed. But I took the response to mean this was not considered a security issue.
So, I am submitting it as a bug as this may not be the intended behaviour for when Media autoplay is disabled with regards to a url pointing to a static image - such as a tracking pixel. I think this represents a security issue for users who may think all media coming from external servers is blocked by disabling Media autoplay.
Expected behaviour: When setting Media auto play to disabled, any form of media that is referenced in the url setting in texture / media settings will be disabled from loading on rez. The behaviour that already exists if the url points to a youtube video or mp3 file.