StaySafe.ph Low Priority Bug

Posted on Mar 31, 2022

I was signing up for StaySafe.ph when out of curiosity, I look around in their public HTML code and saw an exposed public key (UPLOADCARE_PUBLIC_KEY).

So I figured out this key is for uploading to UploadCare, interesting. As I look around UploadCare's API documentation, I noticed that for uploading an image you only need a public key.

For communicating with their API, you need both public and secret key.

I went to their GitHub Swift sample and I was able to confirm that you only need a public key to upload data/image.

Anyone can do something like:

let uploadcare = Uploadcare(withPublicKey: "734d3d11040528ef145e")
guard let url = URL(string: "[source.unsplash.com/random](https://source.unsplash.com/random)") else { return }
guard let data = try? Data(contentsOf: url) else { return }

let fileForUploading1 = uploadcare.uploadAPI.directUpload(files: ["test.jpg": data], nil, {
            files, error in
        })
(fileForUploading1 as? UploadTaskResumable)?.resume()

I didn't test it since I may be in some trouble since StaySafe.ph is a government Covid tracker app. But obviously, anyone can pollute your data by uploading their own image. Someone can automate it and the next thing you know you might incur additional payment for excess usage.

I'm not sure if this is anything alarming but nevertheless, I believe this is something the developers need to look at.