Direct access to private images

[Deleted member 90230]

Hello I would like to know if a direct access to the images served with Shevereto via direct link can be blocked? If I create a private album ideally I would like it to be accessible only when the owner of the album is logged in.

Thanks in advance
Mateusz Matlinski

 

[Rodolfo]

Hi there,

Thanks for bring this subject to my attention.

If I create a private album ideally I would like it to be accessible only when the owner of the album is logged in.

No, Chevereto won't implement any access control over the image files. It rely on other strategies for privacy.

For example, using random file naming plus date folders structure will make very futile any index attack on your content, I mean, your firewall will note the activity. Also, you could setup external storage and use a different domain for the images. At the end, it relies in just hide the access at plain sight.

For V4 I hope to implement an image server to provide the security layer that you are mentioning here.

 

[SimplyCorbett]

For example, using random file naming plus date folders structure will make very futile any index attack on your content

The random name generation is good. Where it falls apart is with private (unlisted) albums.

Image is uploaded to private/unlisted and with random name selected the image url is set to https://domain.com/image/1.aQg

While the image itself is a huge url all you'd need to do is create a script to download any images located in that page and walla.

But the other private options appear to work well so that's the only option with this weakness.

 

[Rodolfo]

and walla

@SimplyCorbett The URLs aren't sequential, meaning that it is futile to perform an index attack. Besides, the random functionality exclude private albums.

Is not that you need only to change a digit or increment something, each URL must be guessed. The only caveat is the length of the image id, which you could easily increase by setting a bigger ID padding (either change the table autoincrement or alter the hidden id_padding setting).

 

[SimplyCorbett]

@SimplyCorbett The URLs aren't sequential, meaning that it is futile to perform an index attack. Besides, the random functionality exclude private albums.

Is not that you need only to change a digit or increment something, each URL must be guessed. The only caveat is the length of the image id, which you could easily increase by setting a bigger ID padding (either change the table autoincrement or alter the hidden id_padding setting).

I'm going to use nickpick.host as an example. I can replicate this on my own installation but my url's are three characters because of the lack of images.

trees and stuff by joakimolofsson d3exl9c

Image trees and stuff by joakimolofsson d3exl9c in Rinama's images album

nickpic.host

The thing chevereto installs have going for them is that they don't have anywhere near the images of imgur. But it's easy enough to whip up a script, have it parse the html header to see if the page is valid and then download any image above x resolution.

I haven't tried an indexing attack against chevereto but if the host is using a CDN setup and not rate limiting them I'd imagine it would be successful.

Anyway as you pointed out by increasing the length of the id it more or less closes off that attack vector.

 

[Rodolfo]

Or better, use private password. Is basically the same as a token. It should be addressed that privacy options have levels, that there is a tradeoff.

 

[SimplyCorbett]

Or better, use private password. Is basically the same as a token. It should be addressed that privacy options have levels, that there is a tradeoff.

Yeah no disagreement there. Sorry, wasn't trying to be confrontational or anything