Free "unlimited" file storage, powered by Scrapbook?

As of January 3rd, 2026 - this vulnerability is not fixed. I have been granted permission to post this vulnerability on January 1st, 2026, but I have been holding off on it.

Enjoy reading it.

Welcome to the blog! Yesterday (29/11/2025), I decided to go on a little hunt for vulns in Scrapbook, Hack Club's devlog publishing thing. With that, I found two vulns, one of them which I have wrote about, but this one, this one is very silly.

The Hack Club security program

The Hack Club Security program was made by 3kh0 (aka the monero fox or smth) so people could report security vulns related to Hack Club's services. These can go from PII leaks, to Airtable injections, etc. Most of the issues that have been found are related to programs like Shiba or Juice and Clubs (yes...).

About the vulnerability

Scrapbook uses AWS S3 buckets to store pictures, which are required for you to make a Scrapbook post. While analysing those API endpoints which allowed the upload, I discovered this piece of code, in the apps/web/pages/api/presigned-s3.js file...

import { v4 as uuidv4 } from "uuid";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
import { PutObjectCommand } from "@aws-sdk/client-s3";
import s3 from "../../lib/s3";

export default async function handleGetSignedUrl(req, res) {
  const { filename, filetype } = req.query;
  
  const command = new PutObjectCommand({
    Bucket: 'scrapbook-into-the-redwoods',
    Key: `${uuidv4()}-${filename}`,
    ContentType: filetype
  });

  // Generate a presigned URL that expires in 1 hour
  const signedUrl = await getSignedUrl(s3, command, { expiresIn: 3600 })

  if (signedUrl) return res.send({ signedUrl })
}

Can you see the issue? There's no authentication check. Nothing. Which means... anyone, without being logged in, without any file limits, can upload anything to Scrapbook's S3 bucket by just requesting a pre-signed URL! They just had to make a POST request to /api/presigned-s3 to obtain one. It was as simple as that.

The impact

Okay so what's the impact here... well, basically, you can rack up some AWS bills for Hack Club! There's no limit to how many files you can upload or limit of files. So yes, you could make a free cloud service, powered by a silly devlog program :3 (don't do this lmfao)

Also, theoredically, someone could host CSAM content in the Hack Club AWS, leading to legal issues...

Vulnerability timeline

all the dates in here are in dd/mm/yyyy...

I discovered this vulnerability on the 29/11/2025, where I then reported it to the Security Program. Scrapbook's maintainer was informed of it on the 01/12/2025 and responded saying that these issues "would be addressed".
On the 26/12/2025, I received the OK to publish this blog post on 01/01/2026.
On the 03/01/2026, I posted it publically.

Final notes

The timeline isn't the best. I actually spoke with 3kh0 about this timeline (when I met up with them IRL in rainy (and very cold) Lisbon, Portugal.

Of course, I understand people have lives, but a month to fix a vulnerability isn't great.

This vulnerability is still not fixed. but I have been granted permission to publish it. I have decided to go through with publishing it.

At the end I did not get any payout, like the other vulnerability I reported.
I was warned that this might happen when I reported it, since Scrapbook doesn't have a budget allocated to it. Understandable, but again, the Security program is opt-out, not opt-in, which annoys me a little bit.

Thanks for reading!

Not using an adblocker? Disqus puts advertisements below that I don't control :(

headpats.you

i write about stuff that interests me sometimes :)