X_Cli ⏚Apr 2, 2025

I just published two cryptography attacks on Uppy Companion, a tool for downloading/uploading documents from various cloud storage providers.

https://github.com/transloadit/uppy/issues/5705

https://github.com/transloadit/uppy/issues/5706

These attacks allow the recovery of the access tokens/refresh tokens of the various cloud provider, enabling an attacker having access to a stolen encrypted cookie value to get access to the cloud storage.

Once again, people: do not roll your own crypto! 😮‍💨
Using plain AES-CBC, deriving secrets with SHA256 and the sign-then-encrypt paradigm are not best practices.

#uppy #cryptography #aes #infosec #vulnerability #disclosure

Encryption Key Wear-out Leading to access_token/refresh_token Recovery in Uppy Companion · Issue #5705 · transloadit/uppy

Initial checklist I understand this is a bug report and questions should be posted in the Community Forum I searched issues and couldn’t find anything (or linked relevant results below) Link to run...

GitHub
Show threadZeeOct 2, 2024

Today’s adventure started hopeful. I managed to get the #Uppy Webcam plugin mostly working across Web, Android, and iOS; and then my #LocalStack S3 bucket dumped its CORS configuration so my #Tailscale funnel that I use to expose my local #Rails server to the #TurboNative apps got rejected.

But before I reapplied the CORS config I tried to update the `is-mobile` package for some reason and now even after reverting and nuking `node_modules` Uppy Webcam doesn’t want to use the Android native webcam anymore and I have no idea why

😭😭😭

ZeeOct 1, 2024

I’ve been working on a feature for a #TurboNative app.

We want to allow folks to take multiple photos and upload them all together.

folks must be able to *capture* photos directly through the app, with no photos aren’t stored to their device camera roll (for Very Good Reasons)

We’re using the #Uppy dashboard to provide the core experience, which works pretty well; but the out of the box flow for taking a photo is three or so taps *per photo* on iOS, and doesn’t allow access to the camera on Android.

So tomorrow I am going to try and wrangle the Uppy Webcam plugin to see if it will let me take 3~8 photos in a row and upload them all at the end of the session.

If that doesn’t work, I may have to figure out how to pass messages between the web app and the IOS and android apps for native photo capturing and inject thise into Uppy…

😭😭😭

This feels complicated! `input type=“file” capture multiple` should be sufficient

😭😭😭

#Rails #JavaScript #Turbo #iOS #Android #WebStandards #Programming