Mobbin's blurred screenshots aren't blurred

Mobbin uses image-processing query parameters to serve low-resolution, watermarked previews to free users. The full-resolution, unwatermarked source image is served from the same URL — the "protection" exists only in the parameters appended to it.

The vulnerability

Mobbin's CDN (bytescale.mobbin.com) processes images dynamically via URL parameters. A gated preview for a free user looks like this:

# What free users receive
https://bytescale.mobbin.com/FW25bBB/image/
  mobbin.com/prod/content/app_screens/<id>.png
  ?f=webp&w=15&q=85&fit=shrink-cover   ← width set to 15
  &extend-bottom=120
  &image=/mobbin.com/prod/watermark/...  ← watermark overlay
  &gravity=bottom&v=1.0

Strip all parameters, or simply change w=15 to w=1920 and remove the watermark overlay, and you receive the full source image at full quality — no authentication check, no server-side access control.

# Full resolution, no watermark
https://bytescale.mobbin.com/FW25bBB/image/
  mobbin.com/prod/content/app_screens/<id>.png
  ?f=webp&w=1920&q=100

Side-by-side comparison

Using free screen as example

What free users see (w=15)

Full resolution (w=1920)

Adjust the URL parameters below to see the effect in real time.

CDN Parameter Explorer

Width (w) 15 320 768 1200 1920 2560

Quality (q) 15 60 85 100

Format (f) webp jpg png

Fit — none — shrink-cover cover contain

Watermark overlay

Add watermark, q=15 & extend-bottom=120 (simulates free-user URL)

—

Reset to full-res

Loading preview...

The right fix is server-side access control: the CDN should verify a signed token or session before serving gated content, regardless of the parameters supplied.

# CDN validates an HMAC signature before processing
https://cdn.example.com/image/asset.png
  ?w=1920&sig=hmac_sha256(secret, path+params+expiry)
  &expires=1748995200

Timeline