Research into the widely used QuickBlox SDK and API led to the discovery of critical vulnerabilities built into chat and video applications used by industries including telemedicine, smart IoT, and finance.

The researchers from Claroty Team82 and Check Point Research (CPR) developed PoC exploits demonstrating that these vulnerabilities threatened the personal information of millions of users. They found they could access smart intercoms and remotely open doors, or leak patient data from telemedicine applications.

Developers using the QuickBlox framework must first create a QuickBlox account. This provides the credentials that will be used for the application, and a QB-Token that is used in further API requests.

When the application retrieves the QB-Token, users log in with both the application session and user credentials. However, the process requires the user to know the application credentials — which are usually simply inserted into the application and easily extracted by attackers.

Turning to the API, “We discovered a few critical vulnerabilities in the QuickBlox API that could allow attackers to leak the user database from many popular applications,” report the researchers. They found that anyone with an application-level session could obtain a list of users, retrieve PII, and generate multiple attacker-controlled accounts.

Through Google dorking and search engines such as BeVigil, the researchers then located dozens of other applications using the same QuickBlox framework and subject to the same vulnerability. Extracting the keys was more difficult in some applications than others (through encryption or code obfuscation), but the researchers assert, “Developers can only put in obstacles to complicate recovering the application key; which will always be accessible to attackers, whether it takes five minutes to extract or two hours.”

The researchers examined how their discoveries could be used against different applications that incorporated QuickBlox. They provide a case study on Rozcom, an Israel-based provider of video intercoms for building entry. Separately investigating the Rozcom mobile app they found additional vulnerabilities and discovered that user IDs were produced by concatenating an individual building ID and the user’s telephone number.

Turning back to their QuickBlox vulnerabilities, the researchers noted, “Rozcom chose to use the user ID [the concatenation] as the user identifier in QuickBlox. And since we could leak the user database from QuickBlox we could get access to all of Rozcom users including Building IDs as well as the correlating users’ phone numbers.” 

Knowing the building ID and the user phone number ultimately allowed the researchers to impersonate a legitimate user (they had also found they could obtain the user’s authorization code). “This means,” explained the researchers, “the only requirement to retrieve a user’s credentials is their phone number, which we managed to leak using the QuickBlox vulnerability. Moreover, the authentication code is static. Therefore, attackers can easily login on behalf of any user and use the application’s functionality to its extent. This allows them to open the door/gate, open video streams and more; they now fully control the intercom device remotely.”

Using the same approach on a telemedicine app (unnamed, because at the time of writing it was still vulnerable), the researchers discovered they could use the QuickBlox vulnerability to log in on behalf of any user, whether patient or doctor. They found they were able to retrieve personal information including medical history, chat history, and medical files.

“Furthermore,” warned the researchers, “because full impersonation is possible by this attack, anyone can impersonate a doctor and modify information or even communicate in real time via chat and video with real patients on the platform on behalf of an actual physician.”

This joint research into QuickBlox demonstrates the potential scale of the threat from API flaws, especially where the flaw is in a framework used by multiple vendors and multiple applications. In this instance the researchers worked closely with QuickBlox. QuickBlox has fixed the vulnerabilities via a new secure architecture design and new API. Security, however, doesn’t simply depend upon vendors’ fixes – the telemedicine application was still vulnerable at the time of writing because the developer hadn’t incorporated the vendor’s fixes.

Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks

Related: JumpCloud Says All API Keys Invalidated to Protect Customers

Related: Google Improves Android Security With New APIs

Related: Azure API Management Vulnerabilities Allowed Unauthorized Access

https://www.securityweek.com/api-flaw-in-quickblox-framework-exposed-pii-of-millions-of-users/

On Thursday, OpenAI announced that all paying API customers now have access to the GPT-4 API. It also introduced updates to chat-based models, announced a shift from the Completions API to the Chat Completions API, and outlined plans for deprecation of older models.

Generally considered its most powerful API product, the GPT-4 API first launched in March but has been under closed testing until now. As an API, developers can use a special interface to integrate OpenAI’s large language model (LLM) into their own products for uses such as summarization, coding assistance, analysis, and composition. The model runs remotely on OpenAI’s servers and provides output to other apps over the Internet.

OpenAI says the GPT-4 API with 8K context is accessible to existing developers who have a successful payment history, with plans to open access to new developers by the end of July. And in a move to distance itself from older GPT-3-style models, OpenAI has also opted to begin retiring “Completions API” models in favor of newer Chat Completions API models. Since its March launch, OpenAI says that its Chat Completions API models now account for 97 percent of OpenAI’s API GPT usage.

This deprecation plan involves retiring models that are part of the Completions API in six months. Starting January 4, 2024, these older models, which simply complete a prompt instead of engaging in a chat-like dialog, will be replaced with newer versions, and developers using some of these models will be required to upgrade their integration manually. For now, the older models will remain available but will be labeled as “legacy” products. Here’s a partial list of models that will be deprecated:

• ada
• babbage
• curie
• davinci
• davinci-instruct-beta
• curie-instruct-beta
• text-ada-001
• text-babbage-001
• text-curie-001
• text-davinci-001
• text-davinci-002
• text-davinci-003

OpenAI will provide drop-in replacements for these older models. For example, OpenAI recommends that users of the text-davinci-003 model switch to the gpt-3.5-turbo-instruct model instead. Similarly, the ada-002, babbage-002, curie-002, and davinci-002 models will replace earlier versions of each. Applications using some of these GPT-3 models (such as ada, babbage, curie, davinci) will “automatically be upgraded to the new models listed above on January 4, 2024,” according to OpenAI.

OpenAI also announced that “based on the stability and readiness of these models for production-scale use,” it is also making APIs for Whisper, DALL-E, and GPT-3.5 Turbo “generally available.” And the company expects to continue fine-tuning the models throughout the year.

Developers can find more details in OpenAI’s blog post for the announcement.

https://arstechnica.com/?p=1952557

The Reddit community is still reckoning with the consequences of the platform’s API price hike. The changes have led to the shuttering of numerous third-party Reddit apps and have pushed several important communities, like the Ask Me Anything (AMAs) organizers, to reduce or end their presence on the site.

The latest group to announce its departure is BotDefense. BotDefense, which helps removes rogue submission and comment bots from Reddit and which is maintained by volunteer moderators, is said to help moderate 3,650 subreddits. BotDefense’s creator told Ars Technica that the team is now quitting over Reddit’s “antagonistic actions” toward moderators and developers, with concerning implications for spam moderation on some large subreddits like r/space.

Valued bot fighter

BotDefense started in 2019 as a volunteer project and has been run by volunteer mods, known as “dequeued” and “abrownn” on Reddit. Since then, it claims to have populated its ban list with 144,926 accounts, and it helps moderate subreddits with huge followings, like r/gaming (37.4 million members), /r/aww (34.2 million), r/music (32.4 million), r/Jokes (26.2 million), r/space (23.5 million), and /r/LifeProTips (22.2 million). Dequeued told Ars that other large subreddits BotDefense helps moderates include /r/food, /r/EarthPorn, /r/DIY, and /r/mildlyinteresting.

On Wednesday, dequeued announced that BotDefense is ceasing operations. BotDefense has already stopped accepting bot account submissions and will disable future action on bots. BotDefense “will continue to review appeals and process unbans for a minimum of 90 days or until Reddit breaks the code running BotDefense,” the announcement said. The announcement also advised “keeping BotDefense as a moderator through October 3rd so any future unbans can be processed.”

The situation also highlights the importance of Pushshift, which recently lost Reddit API access due to a “miscommunication,” according to Ars Technica sister site Wired—but then regained it. Pushshift is run by the Network Contagion Research Institute in Princeton, New Jersey, and is said to be popular among Reddit’s thousands of volunteer moderators. As a non-commercial and educational tool, Pushshift has an exemption to Reddit’s new API pricing scheme, but dequeued told Ars Technica that restrictions Reddit has imposed have “made it cumbersome to use.” Further, “most of the users who submit bots to BotDefense no longer have access,” the mod said.

That’s important because “Pushshift is critical to our efforts to detect repost bots, comment copy bots, bots that use ChatGPT to mimic human activity, and other types of malicious bots,” dequeued told Ars Technica. “Pushshift has a very detailed system for searching through past content. We use it to detect these bots. Reddit is much more limiting in searching for past posts, and the API doesn’t support searching for comments.”

Like other moderators Ars has spoken to, dequeued cited shuttered third-party Reddit apps, like Apollo and RIF Is Fun, as key moderation tools. dequeued also pointed to “apps that acted as front-ends to Pushshift, which made it easier for users to research malicious accounts” as critical to BotDefense’s efforts.

Some third-party Reddit apps, like Narwhal, are still available and have moved to paid models. However, devs Ars has spoken with have shown uncertainty around how sustainable these approaches are.

Meanwhile, dequeued said that Reddit’s “few minor gestures” to keep a small number of third-party apps alive doesn’t fix the poor reputation the company now has with BotDefense.

Dequeued, who said they’ve been moderating for nearly nine years, said Reddit’s “antagonistic actions” toward devs and mods are the only reason BotDefense is closing. The moderator said there were plans for future tools, like a new machine learning system for detecting “many more” bots. Before the API battle turned ugly, dequeued had no plans to stop working on BotDefense.

https://arstechnica.com/?p=1952125

Device, identity and access management solutions provider JumpCloud has reset customer API keys in response to an “ongoing incident”.

JumpCloud has yet to share any information, but notifications sent to customers suggest that it’s dealing with a security incident. The company said existing API keys have been invalidated to protect the customer’s “organization and operations”.

“We apologize for any disruption this causes you and your organization,” the company told users, “but the action was taken on your behalf as the most prudent course of action.” 

While JumpCloud’s status pages make no mention of the incident, the company has published a support page informing admins that all API keys have been invalidated, impacting several features and integrations. The page provides instructions for generating new API keys.

“Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to invalidate all API Keys for JumpCloud Admins,” reads a message on that support page.

SecurityWeek has reached out to JumpCloud for more information and will update this article if the company responds. 

Related: JumpCloud Raises $159 Million at $2.56 Billion Valuation

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Related: Leaked Algolia API Keys Exposed Data of Millions of Users

Related: Credential Leakage Fueling Rise in API Breaches

https://www.securityweek.com/jumpcloud-says-all-api-keys-invalidated-to-protect-customers/

Ask Me Anything (AMA) has been a Reddit staple that helped popularize the social media platform. It delivered some unique, personal, and, at times, fiery interviews between public figures and people who submitted questions. The Q&A format became so popular that many people host so-called AMAs these days, but the main subreddit has been r/IAmA, where the likes of then-US President Barack Obama and Bill Gates have sat in the virtual hot seat. But that subreddit, which has been called its own “juggernaut of a media brand,” is about to look a lot different and likely less reputable.

On July 1, Reddit moved forward with changes to its API pricing that has infuriated a large and influential portion of its user base. High pricing and a 30-day adjustment period resulted in many third-party Reddit apps closing and others moving to paid-for models that developers are unsure are sustainable.

The latest casualty in the Reddit battle has a profound impact on one of the most famous forms of Reddit content and signals a potential trend in Reddit content changing for the worse.

On Saturday, the r/IAmA moderators announced that they will no longer perform these duties:

• Active solicitation of celebrities or high-profile figures to do AMAs.

• Email and modmail coordination with celebrities and high-profile figures and their PR teams to facilitate, educate, and operate AMAs. (We will still be available to answer questions about posting, though response time may vary).

• Running and maintaining a website for scheduling of AMAs with pre-verification and proof, as well as social media promotion.

• Maintaining a current up-to-date sidebar calendar of scheduled AMAs, with schedule reminders for users.

• Sister subreddits with categorized cross-posts for easy following.

• Moderator confidential verification for AMAs.

• Running various bots, including automatic flairing of live posts

The subreddit, which has 22.5 million subscribers as of this writing, will still exist, but its moderators contend that most of what makes it special will be undermined.

“Moving forward, we’ll be allowing most AMA topics, leaving proof and requests for verification up to the community, and limiting ourselves to removing rule-breaking material alone. This doesn’t mean we’re allowing fake AMAs explicitly, but it does mean you’ll need to pay more attention,” the moderators said.

The mods will also continue to do bare minimum tasks like keeping spam out and rule enforcement, they said. Like many other Reddit moderators Ars has spoken to, some will step away from their duties, and they’ll reportedly be replaced “as needed.”

Fed up with Reddit

The mods’ announcement marks a major transition for the subreddit famous for scoring household names like Gates, Elon Musk, and Madonna. Those high-profile names and others drew global headlines and Reddit visitors who weren’t previously regulars.

“This sub—and in particular, the fact that high-profile celebrities’ appearances on here [are] often featured in articles in places like BBC News—is how I discovered Reddit,” a comment posted to the r/IAmA moderators’ announcement said.

However, the subreddit mods are fed up with the site. To illustrate Reddit’s history of disregarding users and moderators, the announcement cited an op-ed that two subreddit mods wrote for The New York Times in 2015 to explain the recent decision.

Written by mods Brian Lynch and Courtnie Swearingen, the op-ed explained the subreddit moderators’ decision to go dark for 24 hours after Reddit fired Victoria Taylor, who worked with moderators on AMAs.

The op-ed said Reddit “made critical changes” to the site “without any apparent care for how those changes might affect their biggest resource: the community and the moderators that help tend the subreddits that constitute the site.”

https://arstechnica.com/?p=1951523

It’s been a contentious journey, but Reddit’s new API pricing will take effect on July 1. What started as a fight over creating an affordable option for valued third-party Reddit apps has evolved into a bitter battle pitting Reddit against indignant developers, mods, and users. Protests remain, but some users are now preparing to exit the platform, including some of Reddit’s most seasoned moderators.

Where does that leave third-party developers, some of which said they would have to pay Reddit $20 million annually to continue? Ars Technica spoke with developers to learn where their apps stand, how some will manage to stay afloat, and what Reddit’s changes mean for the future.

Surviving apps

When Reddit announced that, starting on July 1, it would no longer permit free API access except for certain non-commercial apps, many Reddit app developers responded by telling users that they were unsure if they could keep the apps running. Now that the new API pricing ($12,000 per 50 million API requests) is set to be reality, here’s a look at the most popular apps that will still be available.

Narwhal for Reddit

A new version of the Narwhal for Reddit app, Narwhal 2, will be available as a subscription. Pricing isn’t confirmed yet, but developer Ricker Harrison told Ars he hopes the updated app will be ready to ship within the next one to two months, after he gets more data on API usage. He’s considering a base subscription fee with a certain number of API calls, allowing users to buy more if needed.

I asked Harrison if he can afford to keep the original Narwhal available ahead of Narwhal 2’s release, but the dev said he couldn’t say currently “due to an NDA.”

“I’m just trying to be open-minded about it right now,” he said of the current situation. “Instead of just shutting down completely, I at least want to give it a shot… Even if I’m the only person who uses Narwhal 2, then I’d still rather it exists.”

The dev said that Narwhal has made a “very small amount of money over time” with ads. Reddit’s new rules don’t allow third-party apps with ads.

Infinity for Reddit

Infinity for Reddit plans to be available sometime after July 1 as a subscription.

“I need to change the API key, since Infinity is open source and the key is visible on the repo,” developer Alex Ning told Ars. “If I cannot afford it before I finish the update, I will just change the key, and that means Infinity will not be usable until the update is available.”

The price hasn’t been finalized, but $3 a month is under consideration. Ning said he’s “not trying to make money” off the app, which doesn’t have ads.

Contrary to some of the discussions that devs claimed they had with Reddit, Reddit was accommodating in discussions with Infinity over “several calls,” where the company provided API usage insights, according to Ning.

https://arstechnica.com/?p=1951212

Over 8,400 subreddits went dark from June 12 through June 14 in protest over new API pricing that is about to shutter many third-party Reddit apps. But now that the biggest uprising in Reddit history is slowing, what’s next for Reddit?

Despite weeks of heated debate, Reddit still plans to begin its API pricing system on July 1. The social media company has until now provided free API access, but—after claiming it didn’t want AI chatbots to profit off Reddit’s content for free—it announced pricing changes so dramatic that popular third-party Reddit app Apollo faced a $20 million annual bill. Apollo now plans to close ahead of the API changes; so do other third-party apps.

With the blackout over on many subreddits, Reddit is banking on the outrage passing. But Reddit—once a thriving, distinct community—has depleted significant communal goodwill in this battle. Volunteer moderators remain apprehensive of a future without third-party apps, and thousands of subreddits still aren’t public again. Reddit will try to grow revenue off a community whose most dedicated members remain anxious.

The war continues

Reddit’s sudden rollout of high prices is a needlessly painful way of reminding the community who makes the rules, but Reddit has always had the right to make money off the platform it built. No one can stop Reddit from charging what it wants or boxing out third-party apps. But because Reddit is built on user-generated content, volunteer moderators, and thousands of unique and almost totally self-governed communities, it doesn’t get to decide when the war is over. The argument will continue indefinitely—and for hundreds of subreddits, so will the blackouts. (Reddit declined to comment about the continuing protests to Ars Technica.)

A post on the r/ModCoord subreddit says that over 300 subreddits will “remain private or otherwise inaccessible indefinitely until Reddit provides an adequate solution.” Included subreddits include high-trafficked communities like r/aww (34.1 million subscribers) and r/music (32.3 million). The number of subreddits still dark as of this writing, though, is much larger. According to the Reddark counter on Twitch, around 5,200 subreddits are still dark (about 60 percent of the number of subreddits that promised to join the original protest). This number is steadily declining, however.

“More is needed for Reddit to act,” the June 13 post on r/ModCoord says. For subreddits with difficulties going private due to the social value of their subject matter (such as r/StopDrinking), the post suggests “a weekly gesture of support” like “a weekly one-day blackout, an automod-posted sticky announcement” or “a changed subreddit rule to encourage participation themed around the protest.”

The same community that built Reddit is now weaponizing its unity in its fight against Reddit. Protestors are using Reddit to organize protests against Reddit. And they’re using Reddit to share images illustrating how bad they think the platform will become.

https://arstechnica.com/?p=1947808

On Tuesday, OpenAI announced a sizable update to its large language model API offerings (including GPT-4 and gpt-3.5-turbo), including a new function calling capability, significant cost reductions, and a 16,000 token context window option for the gpt-3.5-turbo model.

In large language models (LLMs), the “context window” is like a short-term memory that stores the contents of the prompt input or, in the case of a chatbot, the entire contents of the ongoing conversation. In language models, increasing context size has become a technological race, with Anthropic recently announcing a 75,000-token context window option for its Claude language model. In addition, OpenAI has developed a 32,000-token version of GPT-4, but it is not yet publicly available.

Along those lines, OpenAI just introduced a new 16,000 context window version of gpt-3.5-turbo, called, unsurprisingly, “gpt-3.5-turbo-16k,” which allows a prompt to be up to 16,000 tokens in length. With four times the context length of the standard 4,000 version, gpt-3.5-turbo-16k can process around 20 pages of text in a single request. This is a considerable boost for developers requiring the model to process and generate responses for larger chunks of text.

As covered in detail in the announcement post, OpenAI listed at least four other major new changes to its GPT APIs:

• Introduction of function calling feature in the Chat Completions API
• Improved and “more steerable” versions of GPT-4 and gpt-3.5-turbo
• A 75 percent price cut on the “ada” embeddings model
• A 25 percent price reduction on input tokens for gpt-3.5-turbo.

With function calling, developers can now more easily build chatbots capable of calling external tools, converting natural language into external API calls, or making database queries. For example, it can convert prompts such as, “Email Anya to see if she wants to get coffee next Friday” into a function call like, “send_email(to: string, body: string).” In particular, this feature will also allow for consistent JSON-formatted output, which API users previously had difficulty generating.

Regarding “steerability,” which is a fancy term for the process of getting the LLM to behave the way you want it to, OpenAI says its new “gpt-3.5-turbo-0613” model will include “more reliable steerability via the system message.” The system message in the API is a special directive prompt that tells the model how to behave, such as “You are Grimace. You only talk about milkshakes.”

In addition to the functional improvements, OpenAI is offering substantial cost reductions. Notably, the price of the popular gpt-3.5-turbo’s input tokens has been reduced by 25 percent. This means developers can now use this model for approximately $0.0015 per 1,000 input tokens and $0.002 per 1,000 output tokens, equating to roughly 700 pages per dollar. The gpt-3.5-turbo-16k model is priced at $0.003 per 1,000 input tokens and $0.004 per 1,000 output tokens.

Further, OpenAI is offering a massive 75 percent cost reduction for its “text-embedding-ada-002” embeddings model, which is more esoteric in use than its conversational brethren. An embeddings model is like a translator for computers, turning words and concepts into a numerical language that machines can understand, which is important for tasks like searching text and suggesting relevant content.

Since OpenAI keeps updating its models, the old ones won’t be around forever. Today, the company also announced it is beginning the deprecation process for some earlier versions of these models, including gpt-3.5-turbo-0301 and gpt-4-0314. The company says that developers can continue to use these models until September 13, after which the older models will no longer be accessible.

It’s worth noting that OpenAI’s GPT-4 API is still locked behind a waitlist and yet widely available.

https://arstechnica.com/?p=1947545

There are nearly 8,500 subreddits that are private or read-only right now in protest over Reddit’s upcoming API price hike. The protest started on June 12, crashed Reddit for three hours, and is scheduled to continue until June 14. Reddit CEO Steve Huffman, according to an internal memo reportedly viewed by The Verge today, isn’t too worried, though, since it hasn’t hurt Reddit’s pockets yet.

According to The Verge (where you can view the full memo), Huffman sent the note to employees on Monday afternoon. It starts by noting the “challenge” from the Reddit API pricing protest.

“We do anticipate many of [the subreddits] will come back by Wednesday, as many have said as much. While we knew this was coming, it is a challenge nevertheless, and we have our work cut out for us,” the note reportedly says. “A number of Snoos [Reddit’s nickname for employees] have been working around the clock, adapting to infrastructure strains, engaging with communities, and responding to the myriad of issues related to this blackout.”

This, too, shall pass

Then, the note seemingly looks to calm employee anxieties or fears around the protests by depicting the blackout as a temporary occurrence that hasn’t yet impacted Reddit’s finances:

We have not seen any significant revenue impact so far and we will continue to monitor.

There’s a lot of noise with this one. Among the noisiest we’ve seen. Please know that our teams are on it, and like all blowups on Reddit, this one will pass as well.

Some subreddits have said they will go dark indefinitely. As of this writing, 8,444 subreddits are protesting, according to the Reddark counter, which says 8,838 subreddits pledged to join.

Similar to how Twitter was accosted when it jacked up its API pricing in February, Reddit has been accused of corporate greed as it seeks to suddenly charge what some argue are exorbitant amounts for something that used to be free.

For its part, Reddit hasn’t been shy about its desire to make money, especially considering many popular third-party Reddit apps don’t run Reddit’s ads, its biggest source of revenue.

“Reddit needs to be fairly paid to continue supporting high-usage third-party apps. Our pricing is based on usage levels that we measure to be comparable to our own costs,” Reddit spokesperson Tim Rathschmidt said in a statement to Bloomberg on June 6.

News of Reddit’s initial public offering has drawn further attention during this spectacle, as The Information in February reported that Reddit aims to go public in 2023. Additionally, there’s a sense that Reddit is seeking greater control over its platform.

Huffman’s memo reportedly said that the long-term solution to challenges brought on by the protests is to improve Reddit and noted “a few upcoming critical mod tool launches we need to nail.”

Reddit recently started allowing NSFW image uploads on its desktop app but will remove NSFW content from third-party apps with its API changes, attributing the move to regulatory concerns. Reddit has also refrained from offering any compromise that would see lower API fees for developers that run Reddit’s ads.

Further, Reddit showed interest in growing the use of its apps when it experimented with blocking logged-in mobile browser access earlier this year.

Community consequences

Reddit might not have seen any financial consequences yet. But its announced API fees, the revelation that those fees would cost it $20 million a year for one third-party app, and the backlash from other developers, users, and moderators have shaken the Reddit community. It’s hard to quantify that impact, but a sense of community is why some people visit Reddit in the first place.

Huffman’s note, according to The Verge, said:

I am sorry to say this, but please be mindful of wearing Reddit gear in public. Some folks are really upset, and we don’t want you to be the object of their frustrations.

In an active Q&A on Friday, someone asked Huffman if he was concerned “that Reddit has become increasingly profit-driven and less focused on community engagement,” and his response didn’t foster a sense of community either.

“We’ll continue to be profit-driven until profits arrive. Unlike some of the 3P apps, we are not profitable,” Huffman said.

In Monday’s note, Huffman reportedly mentioned the planned closures of Apollo, Reddit Is Fun, “and a couple others,” and said, “We are still in conversation with some of the others.”

As some might have expected, the protests haven’t yet brought any sign of Reddit relenting on its API pricing. The company has given accessibility-focused apps exemptions, though.

“In this whole saga, I don’t think I’ve seen Reddit offer to give an inch on any of the things,” Apollo developer Christian Selig told The Vergecast podcast this week.

Advance Publications, which owns Ars Technica parent Condé Nast, is the largest shareholder in Reddit.

https://arstechnica.com/?p=1947571

It took less than 11 hours for Reddit to feel the impact of widespread protests of its API fees. Over 7,000 subreddits became private in order to “go dark” and resist Reddit’s controversial API pricing hike, which caused some instability for the site, and it was down from about 10:25 am ET to 1:26 pm today.

Amid the outage, Reddit spokesperson Tim Rathschmidt told The Verge:

A significant number of subreddits shifting to private caused some expected stability issues, and we’ve been working on resolving the anticipated issue.

As of this writing, 7,856 subreddits have joined the protest, according to a counter on Twitch, and 8,191 have said they will do so. Some of the subreddits going dark have tens of millions of subscribers. But with the outage, the protests have already affected users who don’t use a protesting subreddit.

During the outage, I couldn’t use Reddit’s site, which showed a main feed with the note, “Something went wrong. Just don’t panic” and a pop-up saying, “Sorry, we couldn’t load posts for this page.” TechCrunch reported that users couldn’t view threads on Reddit’s app either. According to The Verge, “some” subreddits loaded during this time. There were 45,887 reports of outages at the problem’s peak, per Downdetector.

Thousands of subreddits unified in going private or read-only starting June 12 (some began their protests earlier, though, and some say they’ll protest indefinitely) through June 14 to revolt against how much Reddit will charge to access its API, which used to be free. Some believe the changes announced in April are an intentional death knell for third-party Reddit apps, similar to how Twitter virtually eliminated third-party apps with its API price hike in February.

iOS app Apollo, which set the controversy into overdrive when it said the new pricing scheme would require it to pay $20 million a year to keep functioning, said it would shutter on June 30. Apollo is the most popular third-party Reddit app and not the only one preparing for the end.

And while the three-hour outage may feel like a win for the little guy, Reddit has yet to show any signs of relenting.

In an uncomfortable Q&A on the matter on Friday ahead of the protests, Reddit CEO Steve Huffman was unyielding on pricing, saying in his initial post that “Reddit needs to be a self-sustaining business, and to do that, we can no longer subsidize commercial entities that require large-scale data use.”

“We’ll continue to be profit-driven until profits arrive. Unlike some of the 3P apps, we are not profitable,” Huffman responded when asked about concerns “that Reddit has become increasingly profit-driven and less focused on community engagement.”

Reddit is giving a free pass to apps that “address accessibility needs,” Rathschmidt told The Verge last week, and some, like RedReader and Dystopia, confirmed receiving exemptions.
But beyond that, Reddit has insisted it should be “fairly paid” to support third-party apps. The company seems to be on a quest for cash, which included reported layoffs and hiring freezes last week. Reddit filed for an initial public offering in late 2021, and The Information reported in February that it wants to go public this year.

Reddit denied trying to end third-party apps, but skepticism persists, especially considering the pricing scheme. Reddit will charge $0.24 per 1,000 requests or $12,000 for 50 million. For comparison, Imgur charges $500 per month for 7.5 million requests per month or $10,000 monthly for 150 million requests per month, and Twitter charges $42,000 for 50 million tweets.

Advance Publications, which owns Ars Technica parent Condé Nast, is the largest shareholder in Reddit.

https://arstechnica.com/?p=1947293