How many major social media sites try to prevent this behavior? Facebook links expire[1]; but Reddit, Tumblr, and Twitter all generate seemingly permanent image links.
Also semi-related fun fact, I think most sites lack authorization checks when accessing images via direct urls. A logged out user can follow direct image links from private accounts/servers/subs on all these sites, including Discord. Not like that means much of anything security wise (if you have the url you likely had access to the image)
> A logged out user can follow direct image links from private accounts/servers/subs on all these sites, including Discord. Not like that means much of anything security wise (if you have the url you likely had access to the image)
This is a concept I think about often. Tons of services use unguessable URLs for access control. A long time ago, I would've called it "security by obscurity" but it's become so normalized that I've come to mostly agree that it's sufficient because users who give out the URL can generally perceive it as equivalent to giving out any other secret (such as a password). But on the other hand, using other HTTP headers instead of the URL (authorization headers, cookie headers, etc.) do have a rather major benefit: not typically being stored in logs as cleartext, which cannot generally be said for URLs. So if you run a service that uses URLs as secrets, and you don't keep those URLs in your logs, then it's pretty decent security, I think. Although if your logs fall into the hands of a bad actor, then the actual data probably did as well, so it's kind of moot.
As of a few months ago, Reddit no longer allows linking directly linking to their hosted images. You are directed to a pseudo-page that links back to original thread it was posted in.
This sucks because it's now not possible to use the browser's built-in image viewer which has better UX.
I am expecting them to eventually put ads on the page as well.
Majority was hidden for non-logged in users (nowadays seems they provide a blurred curtain), some were deleted with either copyright or content rules violations as reasoning
Telegram Web loads images over websocket and shows them as blobs. This way it prevents users from copying url and not knowing that it will stop working after 24h.
Also semi-related fun fact, I think most sites lack authorization checks when accessing images via direct urls. A logged out user can follow direct image links from private accounts/servers/subs on all these sites, including Discord. Not like that means much of anything security wise (if you have the url you likely had access to the image)
https://stackoverflow.com/questions/30477877/facebook-image-...