[HN Gopher] You can't download this image
___________________________________________________________________
You can't download this image
Author : calmingsolitude
Score : 111 points
Date : 2021-11-27 09:30 UTC (13 hours ago)
(HTM) web link (youcantdownloadthisimage.online)
(TXT) w3m dump (youcantdownloadthisimage.online)
| sys_64738 wrote:
| There's a multitude of ways to workaround this hack. You can
| easily grab the screen area via the OS if need be. Seems
| pointless to try to restrict access if it's viewable in a
| browser.
| thih9 wrote:
| Somehow right clicking + saving worked fine on Safari (desktop).
| I tried it a couple of times and it worked in all cases;
| sometimes it took a second, sometimes more. Perhaps the server
| dropped the connection?
| [deleted]
| huhtenberg wrote:
| https://youcantdownloadthisimage.online/lisa.jpg... and?
| mmmeff wrote:
| Try reading
| [deleted]
| dobladov wrote:
| curl --max-time 1
| https://youcantdownloadthisimage.online/lisa.jpg > lisa.jpg
| shrx wrote:
| Results in an empty file.
| dobladov wrote:
| Increase the time a bit, it looks like sometimes it takes
| more time to download curl --max-time 2
| https://youcantdownloadthisimage.online/lisa.jpg > lisa.jpg
| shrx wrote:
| Nevermind, looks like MobaXterm shell provides a non-
| standard curl implementation:
|
| $ which curl
|
| curl: aliased to _tob curl
|
| After installing curl with apt-get it works.
| hdjjhhvvhga wrote:
| I hate it when people do that. You can wonder for hours
| why something obvious doesn't work as it should and in
| the end discover someone decided to implement something
| substandard, often for no good reason.
| ducktective wrote:
| that's every distro and *nix derivation
| judge2020 wrote:
| And powershell!
| hdjjhhvvhga wrote:
| Well, Windows too. I recently had to set up something
| simple on a Windows 10 machine, I quickly checked by tab-
| completion if a python binary is available so I copied by
| setup script only to discover someone smart decided to
| redirect the binary to the Windows Store. Yes, I know the
| rationale behind this, but still. Just like hijacking
| nxdomain.
| post-it wrote:
| _Especially_ curl.
| https://daniel.haxx.se/blog/2021/05/20/i-could-rewrite-
| curl/
| styluss wrote:
| Add -N, --no-buffer Disables the buffering of the output
| stream. In normal work situations, curl will use a standard
| buffered output stream that will have the effect that it will
| output the data in chunks, not necessarily exactly when the
| data arrives. Using this option will disable that buffering.
|
| and it works
| worldofmatthew wrote:
| Copy and Pastes works fine.
| ravenstine wrote:
| There's another way to achieve this in a more malicious way.
| Granted I haven't tried it in years, but it was possible back in
| 2017 when I tested it.
|
| The idea is to fake the image that's being displayed in the IMG
| element by forcing it to show a `background-image` using `height:
| 0;` and `padding-top`.
|
| In theory, you could make an IMG element show a photo of puppies
| and if the person chose to Right-click > Save Image As then
| instead of the dog photo it could be something else.
|
| For some reason I can't Oauth into Codepen so for now I can't
| recreate it publicly.
| bellyfullofbac wrote:
| Not very new, the technique's probably been around since the
| 2000's... e.g. you can't right click, save as on the web
| version of Instagram because all the images are background-
| images attached to DIVs. In the "old days" there'd be a 1x1
| transparent GIF above the image, so any downloader would
| download that instead.
| trulyme wrote:
| More like 1990s, but yes.
| sumthinprofound wrote:
| Firefox on Android long press save image no other action taken
| and it shows up in my device photo gallery.
|
| (edit: clarity)
| unfocused wrote:
| In Chrome, you can just do as the author says, right click and
| "Save Image As".
|
| Then just go to the folder where it is being downloaded, and
| copy/paste the file "lisa.jpeg.crdownload" to
| "lisa.jpeg.crdownload copy".
|
| Rename to "lisa.jpeg" and cancel the download. You now have the
| image. What's interesting is that you _ARE_ actually downloading
| this image. It 's just that they don't terminate the connection.
| julieturner99 wrote:
| i paused the download and renamed the file to .jpeg and it
| worked similarly
| chunkyks wrote:
| We have a security proxy at work that gives you the bits, but
| then holds the connection open while it does a scan, then
| resets the connection if it doesn't like something inside. Both
| Chrome and Firefox [haven't tried IE/Edge, but I assume that
| they'll do something that the proxy vendor would want] infer
| [or are told?] that the connection broke and delete the interim
| file. Unfortunately, with zip files, the header is at the end;
| so it can't do scanning until the whole file is down.
|
| For me, the easiest way to mitigate it turned out to be to use
| wget [with an appropriate user-agent... say, the same as my
| desktop browser]. wget Gets the bits, but doesn't in any way
| molest the "partial" download when the connection resets. Then
| it tries to download the rest using the "Range" HTTP header,
| and the server says "oh, dude, you already got the whole
| thing"; wget declares success, and all the bits are in my
| download folder.
|
| I believe that we pay, like, a lot for this proxy, which is
| annoying on two counts: 1) If _I_ can get past it trivially,
| then presumably competent attackers can, too, and 2) Sometimes
| it takes a dislike to legitimate stuff, which is how I was
| forced to learn how to get around it.
| RolloTom wrote:
| wget and aria2c both works. I get a jpg image 54,8 KiB, SHA256
| sum
| 204788602166C017B8FEF5D63EDFD814DC9865233C410BCDAD713F78DAE5AF18
| human wrote:
| No issue downloading it on iOS.
| eyelidlessness wrote:
| Same. Oddly, the page itself remained in a loading state even
| after downloading succeeded.
| Supposedly wrote:
| right click > copy image > paste somewhere
|
| Works for me :) (I pasted in Telegram FYI)
| LeoPanthera wrote:
| Safari Mac, I dragged it out of the page and into a Finder
| window, and it saved.
| tomashubelbauer wrote:
| I right-clicked and pressed Open Image in a New Tab and then
| pressed Escape to disconnect the browser from the server. No
| infinite download here.
| numbsafari wrote:
| Yeah, I just:
|
| 1) used the "copy image" function Safari on iOS.
|
| 2) took a screenshot.
|
| ... back to the drawing board NFT bros.
| daedlanth wrote:
| prtsc, dumbass.
| brundolf wrote:
| It worked fine on iOS (confirmed in my photo library)
| pbobak wrote:
| It downloaded on Safari on iOS. Long press on the image and tap
| Add to photos.
| robarr wrote:
| Ditto
| jb1991 wrote:
| Same for me, but the webpage gave the impression that it was
| still downloading, because after it download completely, at
| least in firefox on iPhone, it's still showing that it was
| downloading.
| threatripper wrote:
| I could copy the image from Firefox. Are you sure you
| downloaded it instead of copying it?
| ladino wrote:
| iPhone Safari - Instant Download, no problem!
| haunter wrote:
| iPhone > long press > Add to photos
|
| What am I missing?
| wsinks wrote:
| I posted the same snarky comment too. Seems the headline should
| be "You can't download this exact image, but you can copy the
| presentation image via other means."
|
| More of a play on words for how copy and download often times
| mean the same thing even though technically they're different.
| grawprog wrote:
| I had zero issues downloading the image with brave. Saves
| normally like any other picture.
| hollander wrote:
| Rightclick and select "copy image". Why would you want this if
| you can copy the image anyway?
| 0xhh wrote:
| I guess this is very similar to res.end() in nodejs servers
| busymom0 wrote:
| My usual way of downloading images is to click and drag the image
| into my downloads folder on my Mac. Worked fine for me from
| Safari. Am I missing something?
| efortis wrote:
| Load the website in Firefox with the Network Panel open, hit
| "Escape", and right-click "lisa.jpg" -> "Save Image As"
| synergyS wrote:
| Hm opened chrome console and saved it from sources there, took 30
| secs :)
| kuroguro wrote:
| The problem with leaving connections open is that there's a limit
| on how many you can have on the server... I think the author has
| committed self-DoS :)
|
| https://en.wikipedia.org/wiki/Slowloris_(computer_security)
| titaniczero wrote:
| The website is down now lol
| proyb2 wrote:
| It should be ends with .offline
| sildur wrote:
| And now you can't download that image.
| Rerarom wrote:
| Yeah it's like a breeder reactor, it makes its own fuel.
| tomxor wrote:
| > The connection has timed out
|
| Now I _really_ can 't download the image
| purplecats wrote:
| He got you!
| TheRealDunkirk wrote:
| Great! Just what we need these days: more tricks to screw around
| with the simple, straightforward implementation of the HTTP
| protocol! And just in time for Christmas.
| olliej wrote:
| On webkit based browsers at least you can just drag the image
| out, it doesn't bother trying to redownload it just reconstructs
| the image file from memory, this also applies to copy/paste on
| ios
| aerovistae wrote:
| I was about to "Save as..." when suddenly it struck me that this
| would be an incredible bait to spread a virus.
| soheil wrote:
| An image virus? Please do elaborate.
| lgats wrote:
| using "filename" within the "Content-Disposition" header, you
| could theoretically trick a user into downloading a non-image
| file despite the url containing lisa.jpg
|
| I think certain browsers have security limits on the file-
| extensions you download, which may include when image->"save
| as" is used.
| chunkyks wrote:
| Don't forget that you can literally concatenate jpegs and
| zipfiles [header at start of jpeg, but at end of zipfile],
| so the valid jpeg can _also_ be a valid zipfile.
|
| Combine that with something like Safari's insistence at
| automatically exploding zipfiles on download, and you got
| yourself a party.
| xdrosenheim wrote:
| Firefox mobile did hang when trying to download, but after
| pressing cancel the image was downloaded and viewable in my
| gallery app.
| kuu wrote:
| Same here
| [deleted]
| alias-dev wrote:
| This does create a self inflicted Slowloris attack on the server
| hosting the image, so this site is probably more susceptible to
| the hug of death than most
| meow_mix wrote:
| How to download this image:
|
| 1. Open Inspect (right click and hit "inspect")
|
| 2. Click the "Network" tab
|
| 3. Refresh the page (while clearing the cache Command+Shift+R)
|
| 4. Right click on "lisa.jpg" in the list view under the "Network"
| tab
|
| 5. Click "Open in new tab"
|
| 6. Right click the image on the new tab
|
| 7. Click "Save image as"
|
| Man I can't believe these clowns (or myself for typing all this
| out--don't know who is worse)
| hoten wrote:
| What actually works: take a snapshot of the element via the
| Elements panel.
| Mogzol wrote:
| Did you even try this before posting? These steps are no
| different than just right-clicking the image and choosing "Save
| image as". It still results in a download that never finishes.
| alpaca128 wrote:
| _Inspect > Copy > Image Data-URL_ works perfectly fine in
| Firefox.
| scoopertrooper wrote:
| Did you even read the page? There's no reason to think that
| this approach would work.
| ReleaseCandidat wrote:
| Koan of the day: Can you download something that doesn't load?
| causi wrote:
| _When you usually try to download an image, your browser opens a
| connection to the server and sends a GET request asking for the
| image._
|
| I'm not a web designer, but that seems rather ass-backwards. I'm
| already looking at the image, therefore the image is already
| residing either in my cache or in my RAM. Why it is downloaded a
| second time instead of just being copied onto my drive?
| oefrha wrote:
| You can totally "download" the image in your RAM by right
| clicking / long pressing -> "copy image" or equivalent in most
| browsers. It's just not going to be a byte by byte identical
| file, and may be in a different format, e.g. you get a
| public.tiff on the clipboard when you copy an image from Chrome
| or Safari on macOS, even if the source image is an
| image/svg+xml.
| Tuna-Fish wrote:
| Oh no, it's still downloading the one it's displaying on
| screen. You can even see a spinny thing as the icon of the tab
| on Chrome.
|
| The format allows for showing images when they are partially
| downloaded, and also allows pushing data that doesn't actually
| change the image.
| netizen-936824 wrote:
| Okay? So we still seem to have an accurate representation of
| the image we want. Why can't I just download that and what's
| the point of the rest of the data. If we already are seeing
| the image, the rest of the data is pointless no?
| gipp wrote:
| Certainly so, yes. But your browser doesn't know that.
| chii wrote:
| but the browser doesn't know that the image is already
| done, and since there's still data coming in, the browser
| is obliged to continue downloading.
|
| you could right click, and copy image, rather than save as.
| It achieves what you wanted - save a copy of the image.
| paavohtl wrote:
| I don't know about browser internals, but I would guess that
| the browser decodes the image once into a format that can be
| shown on the page (so from PNG/JPG/WEBP into a RGBA buffer) and
| then discards the original file. This saves a bit of memory in
| 99.99% of cases when the image is not immediately saved
| afterwards.
| Aerroon wrote:
| I'm pretty sure it only discards the original after x number
| of other (new) images have been decoded. (Or perhaps it's
| memory footprint based?)
|
| I ran into a Chrome performance bug years ago with
| animations, because the animation had more frames than the
| decoded cache size. _Everything_ ground to a halt on the
| machine when it happened. Meanwhile older unoptimized
| browsers ran it just fine.
| mkl wrote:
| More likely the original file is saved in the browser cache.
| That's why it loads faster when you reload the page, and
| slower when you do a full reload by holding down shift. In
| Firefox you can see the files with about:cache, and find them
| in ~/.cache/mozilla/firefox/e1wkkyx3.default/cache2/entries/
| or similar (they have weird names with no extension, but the
| file command will identify them, in their original format).
| In Chrome they're packed into files with metadata like the
| URL at the start. You can extract the original file by
| looking at a file in the cache folder [1] and snipping the
| header off (you can guess where it is by looking at the file
| contents with xxd or a hex editor).
|
| More info (and link to a Windows viewer tool) here:
| https://stackoverflow.com/questions/6133490/how-can-i-
| read-c...
|
| [1] For me on Linux, Chrome's is ~/.cache/google-
| chrome/Default/Cache/
| ghusbands wrote:
| One cool related thing is that (I believe) modern graphics
| cards (even Intel) can store and use JPG blocks directly from
| GPU memory, so it's not necessarily beneficial in the long
| term to convert to RGBA in advance. Though I think no modern
| browser actually does this, especially given how power-cheap
| decoding jpeg (with SIMD) already is and how likely it is
| that gpu bugs would interfere.
| plekter wrote:
| I don't think they can use jpg directly, that would be a
| waste of transistors given that the graphics world use
| other compression formats like etc1, bc, astc and so on.
|
| It is however perfectly possible to decode blocks of JPG on
| a GPU by using shader code.
| causi wrote:
| Interesting if that is the explanation. I wonder if any
| browsers offer a "privacy mode" where the original images are
| saved, thereby preventing the server from knowing which
| specific images you chose to save and were therefore
| interested in. I wonder how often that information is logged,
| and whether those logs, if they exist, have ever been put to
| a purpose such as in a court case.
| forgotmypw17 wrote:
| This used to be common behavior, but changed over time in most
| browsers.
|
| Your guess is as good as mine as to why.
| masswerk wrote:
| As far as I remember from a previous project from a few years
| ago, the browser doesn't include a referrer for the download
| request, which can be used for a distinction. (You'll have to
| disable caching and E-Tags for this to work.)
|
| However, this is easily defeated by the use of the console:
| Select the sources tab, locate the image and simply drag-and-
| drop the image from there, which will use the local cache
| instance for the source. Works also with this site, at least
| with Safari.
| Omin wrote:
| > [...] which will use the local cache instance for the
| source
|
| I don't understand why browsers aren't always doing this.
| They already have the image, why redownload it?
| stiray wrote:
| I have problem understanding what problem is this solving?
|
| When the image is on my screen I can just screenshot it.
|
| This is a common problem, using something in insecure
| environment, thats why companies are going into such extents to
| encrypt movies on whole train from source to the display and
| even those are regularly dumped.
| dkersten wrote:
| And even if they figured out some DRM method to prevent
| screenshotting/screen recording, I can still point my phone
| camera at my monitor and capture it that way, if I really
| want to. There is always a way around whatever they try to
| do.
|
| If I can see it, I can make a copy of it.
| Aerroon wrote:
| But because they try the rest of us suffer the consequences
| of more expensive and slower hardware and all kinds of
| other problems.
| dkersten wrote:
| Yes. DRM always hurts the legitimate users more than the
| "pirates". Same with disabling right click or otherwise
| trying to prevent downloading images.
| cesarb wrote:
| > I can still point my phone camera at my monitor and
| capture it that way
|
| Back in the late 1990s/early 2000s (this was so long ago
| that I cannot quickly find a reference), there were
| proposals to require all non-professional audio and video
| recorders to detect a watermark and disable recording when
| one was found. Needless to say this was a terrible idea,
| for several reasons.
| gipp wrote:
| It's not "solving" anything, just demonstrating an
| interesting gimmick
| spiderice wrote:
| Definitely a gimmick. Interesting might be a bit of a
| stretch
| countmora wrote:
| I chuckled about this. However you can drag and drop it to your
| Desktop on macOS.
| soheil wrote:
| Works fine with _wget_ it just keeps hanging but if you CTRL+C it
| and open the file it 'll look fine.
|
| The trick is to have nginx never timeout and just indefinitely
| hang after the image is sent. The browser renders whatever image
| data it has received as soon as possible even though the request
| is never finished. However, when saving the image the browser
| never finalizes writing to the temp file so it thinks there is
| more data coming and never renames the temp file to the final
| file name.
| CyberShadow wrote:
| The site does not send a Content-Type header for the main web
| page, so I get a download dialog when trying to open it.
| dibeneditto wrote:
| In Chrome, Right-Click on Image - Inspect - Right-Click on <img
| src="lisa.jpg" alt="Mona Lisa"> Tag - Capture node screenshot -
| Save
| mark_and_sweep wrote:
| I would have expected this to do something different, like
| rendering the image via WebGL (so it looks like an <img>, but
| isn't easily downloadable).
| neximo64 wrote:
| If you wait long enough it downloads.
| nicebill8 wrote:
| Drag and drop to Desktop on macOS works too.
| barelysapient wrote:
| Downloaded on my iPhone with a single tap.
| singularity2001 wrote:
| Downloaded on my mac with two clicks (FF): open in new tab,
| download
| busymom0 wrote:
| Worked on Safari (Mac) too by dragging and dropping into my
| downloads.
| earth2mars wrote:
| On Google Pixel there is a new feature where I can go to the
| recent app screen and it defects images to click on them to do
| Google lense or save images or share image. I was able to save
| the image of size 506kb with 841x1252 1.1MP pic.
| zeeshanejaz wrote:
| `prt sc` anyone?
| donkarma wrote:
| 99% sure it said download, not screenshot
| quickthrower2 wrote:
| You can on iOS safari. No hacks/workarounds
| sam1r wrote:
| You can't download the code on github either.
|
| Because github is currently down.
| jcun4128 wrote:
| rare occurrence I imagine but good check to not have everything
| in one place
| marcelotournier wrote:
| iOS Safari saved the image in my photos, as any regular picture
| that I do a long tap on.
| wsinks wrote:
| On iOS, long press > add to photos
|
| I now have a photo of the Mona Lisa in my camera roll.
|
| I guess this is one of those things that wouldn't be as edgy with
| the actual mechanism stated. :)
| progman32 wrote:
| This is a perfect (if maybe unintentional) example of how to get
| help from otherwise disinterested technical folk: Make an
| obviously technically-incorrect claim as fact, and watch as an
| entire army comes out of the woodwork giving you technical
| evaluations :)
| manbart wrote:
| I'm aware of this phenomenon, but have never tested it
| (confidently posting something incorrect to get responses with
| the real answer). Has anyone here actually tried this? How did
| it work?
| [deleted]
| spondyl wrote:
| Anthony Bourdain used to find the best local cuisine by going
| onto message boards (anonymously I assume) and saying X is
| the best restaurant, only to receive a flood of
| recommendations
|
| https://archive.md/0UQsd: Ctrl + F for "nerd fury" to find
| where the claim starts
| userbinator wrote:
| People hate DRM. Thus everyone will work their hardest to
| bypass it.
| Andrew_nenakhov wrote:
| Cunningham's Law [1]: "the best way to get the right answer on
| the internet is not to ask a question; it's to post the wrong
| answer".
|
| [1]: https://meta.m.wikimedia.org/wiki/Cunningham%27s_Law
| codesections wrote:
| Though note that Cunningham disavows the law attributed to
| him:
|
| > Cunningham himself denies ownership of the law, calling it
| a "misquote that disproves itself by propagating through the
| internet."
|
| https://en.m.wikipedia.org/wiki/Ward_Cunningham
| Andrew_nenakhov wrote:
| His opinion on this matter is not of any importance, as
| confirmed by a great many people who have found an unlikely
| fame. Just ask mrs. Streisand.
| can16358p wrote:
| I just simply long tapped on the image and tapped save to photos
| on my iPhone and it was saved.
| Hard_Space wrote:
| You really can't - the HN hug of death has killed it!
| jancsika wrote:
| Graceful nongradation
| teitoklien wrote:
| The image was dead in the first place, hence it cannot be
| downloaded or opened.
|
| That's the joke, i guess.
| smolder wrote:
| No, they DoS'd themselves with their "viewable but not save-
| as-able" technique. Leaving connections open will do that.
| The image is visible right now but the browser can't save
| what appears to be an incomplete file.
| html5web wrote:
| Downloaded on iPhone
| boublepop wrote:
| Yes I could. No issues. Save to photos on iPhone.
| tschesnok wrote:
| No one seems to mention that Chrome keeps spinning on the HTML
| load as well and eventually kills the image. This means the
| webpage itself is broken and fails to work. Not just the
| download. Soo.. this just does not work for anything..
| T0Bi wrote:
| It's definitely hard to download an image that doesn't load. :(
| growt wrote:
| Went to the download folder, renamed lisa.jpg.crdownload to
| lisa.jpg. Cancelled the download in the browser.
| dvh wrote:
| If I wanted a non-downloadable image I would make it from 1px
| wide/tall colored divs.
| MildlySerious wrote:
| Pretty sure that was actually used in emails at some point,
| just with tables, to get around email clients not loading
| images.
| Karellen wrote:
| Email clients generally don't load external images. The
| majority should still display images that are sent as part of
| a multipart/mixed message though, and those should take up
| significantly less space than thousands of divs/tds and color
| attributes.
| dorkwood wrote:
| I thought this is what it was going to be! Another method would
| be to generate a plane with the same number of vertices as
| pixels, store the pixel color values as an attribute, and then
| render the mesh to a canvas.
| dvh wrote:
| You can right-click canvas and save it as image.
| dorkwood wrote:
| Oh, you're right! I guess you'd have to disable the context
| menu too.
| alpaca128 wrote:
| Which doesn't help either because in the Inspect view you
| can just click "Screenshot node" on the HTML element.
| masswerk wrote:
| I actually used this to generate graphs in JS/HTML in the
| 1990s. :-)
| can16358p wrote:
| Out of curiosity, how was the performance (of course
| normalized to performance of that era)?
| masswerk wrote:
| Here's a somewhat older approach splitting charts into
| linear runs of 1x1 images, which has some statistics at the
| bottom of each chart:
|
| https://www.masswerk.at/demospace/relayWeb_en/chartset.htm
|
| (Or see
| https://www.masswerk.at/demospace/relayWeb_en/welcome.htm
| and select "charts". Total time for calculations and
| rendering was then in the about 1 sec range. The real
| problem for using this in production was that these charts
| could be printed on Windows with Postscript printers only.
| I think, this was eventually fixed in Windows 98 SE.)
| stevespang wrote:
| I just saved the image on full with no green - hah. No problem.
| [deleted]
| zImPatrick wrote:
| copy the not finished download file in your downloads folder (for
| me lisa.jpg.crdownload) and name it lisa.jpg
| unfocused wrote:
| Just wrote the same. Didn't see your comment early. So really,
| you can absolutely download this image!
| dillondoyle wrote:
| Another idea is canvas: https://jsfiddle.net/dvg45pcz/
|
| But I don't know how to get it to not appear in network sources.
|
| Or wasm but I don't know how to write that.
| brodock wrote:
| You could likely pack.and unpack from websockets...
| cmaggiulli wrote:
| Does WebRTC show in the network console?
___________________________________________________________________
(page generated 2021-11-27 23:00 UTC)