6 upvotes, 1 direct replies (showing 1)
View submission: An Update Regarding Reddit’s API
They haven’t permanently changed the API yet (as they mentioned, it goes live in June), but they did test their code for handling “client requests image using direct / “bare” image asset URL”.
On production, web-facing systems.
Then they reverted the change.
(I noticed because a big chunk of the wikis and AutoMod messaging I have set up for my subreddits use direct / “bare” image asset URLs. The other workaround was sticking large infographics into a CSS spritesheet and hoping Reddit never changed the canon file name and path)
Once they put the code changes *back* into production, a third party client which is OAuth’d to the servers will be able to ask for the JSON listing of a post containing a photo gallery. It can then read that JSON listing and find the photo URLs provided there and ask for those photos. It then gets those photos and can display those photos.
If someone else (a different client) asks for those photos using the URLs provided to the first client, **and they’re photos that were in a NSFW post or NSFW gallery or were flagged as NSFW**, instead of the photos, they get a “If you were looking for an image, it was probably deleted” thumbnail. Because it’s a NSFW image and they haven’t proven to Reddit that they are legitimately accessing it.
Until they legitimately request the JSON listing of a post containing that gallery, and get their own URLs.
If someone who isn’t authenticated to the website asks for those photos using those URLs, or the canonical bare URL as described in my comment above, they get a “If you were looking for an image, it was probably deleted” thumbnail. Because it’s a NSFW image and they haven’t proven to Reddit that they are legitimately accessing it.
If the photo *isn’t* flagged as NSFW, then anyone who asks for the bare image URL as described in my comment above is likely to still get the image - either unchanged or with a “originally posted to r/blahblahblah on Reddit” watermark or overlay on it, depending on what they hammer out as the best case. Saving images on the iOS app already applies this kind of overlay.
The entire point of all of this being, that *people who put their photos on Reddit* and who do so *with some expectation of privacy* be able to do so and have that privacy *maintained* —
Even if someone else in a community works hard to violate that privacy.
Even if their browser session gets hijacked by malware.
Even if the person that makes their third party Android app is an unscrupulous slimeball who gets his jollies mirroring all the photo URLs off to an anonymous proxy and retrieving them at a later date, then leaking them onto the dark web.
Even if their government breaks their HTTPS session keys or raids their browser cache at a mandatory airport device search, and tries to snort through their social media by pulling it all down off Reddit to another system.
Even if someone brute-forces or stumbles into the “bare” image URL.
Comment by [deleted] at 19/04/2023 at 04:28 UTC
1 upvotes, 1 direct replies
Have you considered the impact this may have to Pushshift? I know you use that service regularly and based on the feedback in that subreddit, Pushshift will be shut down.
https://www.reddit.com/r/pushshift/comments/12r04q9/an_update_regarding_reddits_api/?context=8