Stealing From Google
Posted3 months agoActive3 months ago
taqib.devTechstory
controversialmixed
Debate
80/100
CachingProxyingGdprWeb Development
Key topics
Caching
Proxying
Gdpr
Web Development
The post discusses a technique for 'stealing' assets from Google by caching and proxying them, sparking debate about the ethics and technical implications of such an approach.
Snapshot generated from the HN discussion
Discussion Activity
Active discussionFirst comment
1h
Peak period
15
84-96h
Avg / period
5.8
Comment distribution29 data points
Loading chart...
Based on 29 loaded comments
Key moments
- 01Story posted
Sep 29, 2025 at 5:27 AM EDT
3 months ago
Step 01 - 02First comment
Sep 29, 2025 at 6:55 AM EDT
1h after posting
Step 02 - 03Peak activity
15 comments in 84-96h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 3, 2025 at 6:24 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45411799Type: storyLast synced: 11/20/2025, 12:32:34 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Public data can be personal data and anyone doing the same as TFA is making itself a liable processor. But, aren't you a processor by using OAuth in the first place? Yes but with what TFA is doing you have a greater liability surface.
(IANAL but I cite GDPR because the broad concepts apply to data privacy laws in other jurisdictions. See also: https://en.wikipedia.org/wiki/Brussels_effect)
And I'm not aware of any law anywhere here that says I can't download a public photo. The use case is clearly valid and benign, the photo is public, there's no way a judge would go for that no matter how you twist the law.
Plus there's their Images service which could come in handy to transform them a bit, too, if you wanted.
It makes very little sense - They don't want to ask users to trust Google's domain despite... integrating the user's google account? What?
He’s using BetterAuth hooks to fetch those images and upload to his trusted url to avoid such a scenario.
Could anyone explain this?
So, the endpoint is essentially a proxy that does additional image processing, like compression and width/height resizing (again, a URL parameter that the Image component or any other client can change based on the device / screen size in use).
This means that without a domain whitelist, theoretically any image URL can be passed to the endpoint, which will then be processed and cached by your infra.
This has been used in the wild, e.g. racking up charges on someone else's Vercel bill by requesting a bunch of images through this endpoint.
Not sure how exactly it works, never used the framework, but i assume that when the frontend app detects this image tag it makes a server call to orocess it and rerurn optimized version.
Now, if someone were to insert such tag onto the frontend of your app and put in source of their own image, your server would do the processing of their image.
I have absolutely no idea in what universe would this be a practical attack of benefiting anyone at all
Edit: oh i see the coment by samtheprogram. I would think that the framework would use some form of csrf, this is a really weird implementation