Big deal. What about the thousands of forums that allow you to post <img .../> tags?

You're only going to get a few thousand people installing your app, and they are not all going to do it within a few seconds of each other. Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve. And most websites can handle serving a few thousand pictures over the course of a week perhaps. In fact I'd go so far as to say that's what they were designed to do.

the whole 'content hosters not being responsible for user contributions' scenario? Like the Reg is not responsible for the content of this missive even though they provide the interface I use to post it... Is Facebook exempt from damages caused by their little webapp interface, since it's created by a third party? Or will this be yet another grey area of internet law that needs to be vetted?

Its your personal army.

-or-

Who needs zombie PC's when you have zombie users.

http://riosec.com/how-to-create-a-gifar

http://66.102.9.104/search?q=cache:Y2kd8XolyJkJ:www.hackaday.com/2008/08/04/the-gifar-image-vulnerability/+gifar

"Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve"

and a web site can tell it not to save anything and load everything from the web site each time the user views it

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

and

<META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 1999 11:12:01 GMT">

should do it :P

That's only if the url is constant.

The answer from AC is valid, but sort of ignores the point - since no webserver will intentionally be configured to allow itself to be DoS'd. At least, you'd hope not...

Anyway - adding some random text after the link will do just as well. So instead of requesting:

http://www.example.com/image.jpg

you request

http://www.example.com/image.jpg?UID=0123456789

(With that number being "randomly" generated)

Then it is quite unlikely to be cached.