Hacker Read

kemayo · 2021-10-19 16:36:21

It is, but it's perhaps incompatible with uploading your private images to a cloud service.

ptero | karma 6205 | avg karma 4.46 · | 2024-06-07 13:28:13

On the contrary, it is for any images created with their software, whether you store those images in their cloud or at your own computer.

hk__2 | karma 6067 | avg karma 3.46 · | 2019-03-24 12:20:59+00:00

Yes; this is why the feature is the Cloudimage server, not the JS lib.

StavrosK | karma 1 | avg karma 0.0 · | 2019-11-25 16:01:09+00:00

This is true. I hint to it in the terms, but I didn't want to break character too much. Basically, I take precautions for both, but it's a one-man side-project, so caveat emptor. Also, images are obviously public (though unlisted), so it's not meant for sensitive data storage.

DrJokepu | karma 6672 | avg karma 3.91 · | 2010-09-29 13:33:54+00:00

How is that any different from being able to save the photo as a file and upload it to a free image hosting site? From a security point of view?

Since it can be easily circumvented anyway, disallowing sharing static photo URLs would be the real "pseudo security", in my opinion.

reply

mikebos | karma 87 | avg karma 0.99 · | 2021-09-21 01:24:16

Exactly this with for example cryptomator if you want ease of use. You can then upload the image to whatever cloud provider you want.

the_mitsuhiko | karma 13985 | avg karma 3.97 · | 2011-11-05 19:03:37

It would work on any service that allows you to share an image with one individual user.

userbinator | karma 78987 | avg karma 4.37 · | 2014-03-10 05:09:06+00:00

> If a user needs a dynamic image he can download it to his own machine and upload it.

Doesn't that somewhat defeat the purpose of a dynamic image?

reply

starikovs | karma 58 | avg karma 0.56 · | 2015-05-27 10:24:59+00:00

So, what? Everything is vulnerable.. You're not restricted by official images, just create your custom image that is not vulnerable ;)

charcircuit | karma 2002 | avg karma 0.38 · | 2023-04-28 11:16:06

This isn't about exposed credentials though. It would be like an autmatic image uploder that could pick an image hosting site such as imgur and upload the image for you and give you a link. Services are offering the ability to host images for you. You aren't stealing imgur's s3 credentials. They just let any user upload images for free despite the fact it technically costs them money to host the file for you. Similarly there are sites offering the ability to serve LLM requests for you for free.

dangrover | karma 3957 | avg karma 6.63 · | 2010-09-29 13:23:55+00:00

I think it's pretty safe as long as no one without the permissions can find (or guess/extrapolate) that URL. The images are probably just hosted by a CDN and serving up the files with authentication might slow it down or complicate the setup.

bertman | karma 3466 | avg karma 8.73 · | 2022-08-16 09:42:53

>Using a website on the other hand is like exchanging a few nice words

This is absolutely not true if you're supposed to upload (possibly private) images to some random server for e.g. background removal.

reply

fiatjaf | karma 3878 | avg karma 0.9 · | 2017-02-07 20:43:42+00:00

It can't be open like that "just use our URL" because it will bring many free-riders and shutdown your server.

But it also can't be a closed system with private keys and all that, because the hassle is too enormous -- the user will need a server to get the key for each image and so on.

I have the impression that all services of this kind suffer from the above dual-problem.

reply

SysArchitect | karma 155 | avg karma 2.04 · | 2016-09-30 22:42:14+00:00

Anyway to download the image for use in a private cloud?

dalore | karma 2372 | avg karma 1.92 · | 2014-05-16 05:25:47

For images, we used to do it ourselves but then moved to hosted images (cloudinary). Much better, and allows stateless web servers.

BerislavLopac | karma 29912 | avg karma 5.43 · | 2012-02-21 17:14:37+00:00

Well, if it's possible to upload own picture, perhaps it might make sense to cache images in the cloud, at least when hotlinking is disabled.

chatmasta | karma 18107 | avg karma 3.55 · | 2019-05-28 13:05:39

Many services allow uploading arbitrary images. This is certainly a threat they should mitigate against in their sandboxing strategies.

deltron3030 | karma 821 | avg karma 1.38 · | 2021-09-17 06:00:58

> It doesn't seem to have the same ability for you to give your users a way to upload their own images in a secure way?

This can be handled by a CMS. E.g. Media Cloud, a WordPress plugin that integrates with IMGIX.

reply

MasterScrat | karma 2429 | avg karma 3.88 · | 2013-01-12 13:53:49+00:00

Isn't there a risk for this service to be used as an image proxy? The analyzed images are rehosted on their S3...

dikei | karma 942 | avg karma 2.13 · | 2014-05-21 02:02:50+00:00

Of course it's not, but the method is the same, you append a different picture to the end and modify the original image header to point to it. The encoding or encryption is not relevant.