Flickr download counter-countermeasures applied

galdown works on Flickr again. They recently changed their web site to obfuscate their URLs and Javascript even more, making it harder to find the URL of the large-sized "_o" image.

Oh, what's this? Is dc4728449ac9905195f4bd612e1c215a the unnamed account in the Bahamas where the money was to be stashed, I mean, the "secret" API key embedded within Flickr's minimized Javascript? I think so!

"Wait", you're thinking, "People still use Flickr?" Yeah, I was surprised too.

Previously, previously, previously.

Tags: , , , , ,

27 Responses:

  1. They do have an API.

    • jwz says:

      And I am using it. They have an API that requires every end user of it to register their own key. As is the despicable fashion these days. They can go fuckr themselves.

  2. Oh, right, that. Why I haven't released any of my flickr or twittr hacks.

  3. Speaking of "People still use Flickr?" I heard a rumor that Google will soon make yet another attempt at a photo/social site. I think this would be their fourth.

  4. Rena says:

    Oh, Flickr. Why do you do these things? What is this "give people things but don't let them have them" mentality? Why serve the un-mangled image but make people jump through hoops to get it or try to hide it? And more importantly why do people still use these stupid sites?

  5. Rena says:

    BTW, why not put these scripts on Github?

  6. Ben says:

    If you upload photos only out of a sense of duty and don't give enough of a shit about them to pay to host them yourself, what would you use if not Flickr (that works with Lightroom)?

  7. Rena says:

    Is this script not able to download the full-resolution version of just a single image? I've ported the relevant bit to Python:

    I found that the image ID regex matched actual image URLs such as if I removed the _ at the end. However I get back an "Invalid API key" response. Is there a different key for these URLs or have they changed it already?

    • Rena says:

      Answered my own question. 4fc05fa65f1adedb76e0cb0655cc6836 is my lucky number.

    • jwz says:

      If I'm downloading only one image, I just use "inspect element". Bulk downloading is the problem I was trying to solve.

      • Rena says:

        That wasn't working for me. (Copying the image URL and adding _o just gave an "image not available" message.)

        Anyway, here's the finished script: it only extracts the Flickr source URL given an image URL (doesn't download or support other sites like yours does). It's basically just your flickr_crack_secret function ported. Is the copyright OK how I've written it? I'm not sure on these things.

        • Rena says:

          Hm, not only the key changes, but for I don't even get the "originalformat" and "originalsecret" parameters. They seem to really enjoy playing cat and mouse...

          • I still don't understand why you folks are having problems with this. I have a script too. It gets the photo info, authenticated, with extras=url_o, and there it is. Is the problem that you are trying to do it without authenticating?

            • Rena says:

              I don't have a user account to authenticate with. I just grab the API key from the site's front page and query it. Mostly it works but for some images like that one I haven't been able to convince it to give url_o or any such useful things. Are you able to get the originalsecret/url_o information for that image?

              • If you can't see the original image via the web UI, you won't be able to access it via the API. You know that people can set a flag to prevent access to their original images, right? Apparently that user has set the flag.

                I set the flag too, so I need to authenticate to access my own original images. Perhaps if the flag is not set then unauthenticated calls can get url_o?

                • Rena says:

                  That's what I figured. For some images the original just isn't available to anyone but the author. However I've had no trouble getting everything that is available using the same API key the web UI uses. (The only trouble I had is that that key changes frequently, but I was easily able to wrap it up in a function that automatically grabs a new one as needed. site_key is conveniently provided, and there's an undocumented API or two to generate them as well.)

                  Interesting side note: there seem to be separate secrets for some of the other image sizes too (e.g. 'k' and 'h'), but the API is perfectly willing to give those. Maybe that's just there to make things slightly more difficult.

                  I wonder if those secrets are all derived from some publicly-available information in some simple fashion? That'd be pretty funny. Not really interested in looking at that right now, though.

                  jwz still hasn't commented on the copyright. IANAL but I feared his own copyright statement might not cover a third-party port, so I added mine just to be safe.

                  • jwz says:

                    I don't give a shit about the copyright status of my DMCA-violating trafficking in DRM circumvention tools. Who do you think I am, RMS? Use it in felonious health.

                  • The secrets are supposed to be random. If they're derivable from anything that's a bug.

                  • Rena says:

                    Right on. I like that attitude. Just don't want to put my name on someone else's work without asking.

  • Previously