For several years, there was an exploit on the server that allowed images to be uploaded over the tops of existing paintings, particularly DSiPaint ones (which were just PNG images directly uploaded from the page).

I knew about it for a little while and didn't bother to close the exploit because members were only really using it to upload small replacement images to use as avatars. However a few years after that, I found that malicious actors were also using this exploit to drop bot files onto the server to search for other vulnerabilities.

I gradually escalated security, starting by limiting the allowable file types in the folder to just images. After struggling against the malicious actors finding new ways to get the bots installed just about every day, I finally went ahead and spent a good week to overhaul the entire handling of images across the server to use a queue system for saving. This was probably a year ago. It stopped the bots, but members were still using this exploit through other means. Again, I didn't bother much with it until realizing how abusive several members were being.

After seeing several Help Desk posts relating to these images slowing down or completely breaking the loading of content on older mobile devices, I looked into it last night. I found that members were uploading images as large as 10MB each, using what was meant to be a folder for small paintings under 60kB each. There were 1000s of images large enough that each one of them would completely choke the Nintendo DSi and Nintendo 3DS browsers. It came to about 9GB of image uploads with several members making use of this exploit to use this community as their free photo album server. When I discovered this, I was mad, so I waited to cool down and post today.

This community has been free with no ads for years. I have made several posts during that time about how a few generous members have been helping to partially defray the losses incurred every single month in hosting fees. This abuse of the community lead to extra hosting fees in file storage and bandwidth. I spent a good 3-4 hours last night manually purging just about every one of these images, leaving only a few smaller ones. (Note: While deleting these, I did see the names of every member who made use of the exploits.) I initially thought about giving a few days warning before purging all these images but then realized that everyone who did this already knew it was an exploit that could be closed at any time.

If you would like to upload images, there is an upload feature currently available that aspect fits images to 640x640 and provides thumbnails when posting within blogs, etc. That is where general images not meant for avatars should go at the moment. It is asinine to use 24MPixel images for avatars that display in 32x32 squares.

We are currently working on the new website for the community. This will be a modern one that will have support for larger photo albums and automatic image scaling on older devices. All members will be able to make limited uploads to this with premium members being able to upload more images. Feel free to upload images to this when it becomes available and set those images as avatars and bulletin board signatures.