I really don't think there is a bug...
I stumbled across the same issue just a few minutes ago.
The "trick" (well actually it is no trick at all) is that you need to enter correct values (=at least the domain on which the gallery runs) in the "Allowed domains for hotlink" field if you turn hotlink prevention on.
If you leave it at the default value (flying-bits.org), only requests originating from flying-bits.org will get a valid image returned.
At least it worked here without problems after I set the correct domain.