StaySafe.ph Low Priority Bug

I was signing up for StaySafe.ph when out of curiosity, I look around in their public HTML code and saw an exposed public key (UPLOADCARE_PUBLIC_KEY).

So I figured out this key is for uploading to UploadCare, interesting. As I look around UploadCare’s API documentation, I noticed that for uploading an image you only need a public key.

For communicating with their API, you need both public and secret key.

I went to their GitHub Swift sample and I was able to confirm that you only need a public key to upload data/image.

Anyone can do something like:

let uploadcare = Uploadcare(withPublicKey: "734d3d11040528ef145e")
guard let url = URL(string: "https://source.unsplash.com/random") else { return }
guard let data = try? Data(contentsOf: url) else { return }
let fileForUploading1 = uploadcare.uploadAPI.directUpload(files: ["test.jpg": data], nil, {
            files, error in
        })
(fileForUploading1 as? UploadTaskResumable)?.resume()

I didn’t test it since I may be in some trouble since StaySafe.ph is a government Covid tracker app. But obviously, anyone can pollute your data by uploading their own image. Someone can automate it and the next thing you know you might incur additional payment for excess usage.

I’m not sure if this is anything alarming but nevertheless, I believe this is something the developers need to look at.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

  You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

  You are commenting using your Google account. Log Out /  Change )

Twitter picture

  You are commenting using your Twitter account. Log Out /  Change )

  You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s