niko's console

home
whoami
projects
art
cats

meowers !! -->

automattic does not care about you (tumblr notification bug disclosure)

just like the last blog post, this one is about tumblr! specifically, this one is a public disclosure of a bug i found that automattic refused to acknowledge.

while i was working on the notifications server for my tumblr client, which works by consuming android firebase notifications, i found out that tumblr does not, under any circumstance, de-authorize previously authorized notification receivers!

since phosphor's notification server needs to register a device to your account in order to create the notification consumer, you'd assume that de-authorizing the app connection that it creates if you authorize it would stop notifications entirely.. right?

turns out, nope! neither de-authorizing an app that creates a device for receiving notifications nor completely changing your account's password does not remove any devices that are authorized to it! if someone manages to create one of these devices on your account, you might not even know, and certainly can't remove it if you do, since the only way to remove these devices is to know the registration token that the attacker initially used to add it to your account. this makes it not only completely undetectable, but also irreversably connected to your account, which is wonderful!

it doesn't sound too bad, until you realize that tumblr messages also send notifications to your phone! in fact, the most common events (reblog and like activity) aren't directly revealed, instead requesting the device itself to get the update. with message notifcations, a preview of the message is sent in the notification payload :3

vulnerability demo video
i attempted to report this to automattic via their hackerone program (which, by the way, has lower bounties for everything that's not their paid version of wordpress), but it was closed as "not applicable", citing that "once full account access is obtained, many things are possible", disregarding the fact that it's completely impossible to reverse this, unlike every other action possible from gaining full access.

thanks automattic <3
written november fifteenth, 2025

swiftui shenganigans make me suffer

the tumblr app from the last blog post is back and causing more issues for me! :3
or should i say, the ios sdk is causing the issues.

about 3 months ago, my phone decided to go into an unrecoverable bootloop for unknown reasons at about 2am at night. after this happened, i was forced to DFU restore to ios 18, which meant no more jailbreak for me. what it did mean however, was an updated version of swiftui! hooray!

i took that opportunity to update to some newer features of swiftui and fix some unfixable issues caused by the old version of swiftui i was on before, and everything was running great!

because of a bug in swiftui where videoplayers within a combination of lists and tabviews fail to show the player controls whatsoever, i decided to also update my hackintosh to check out if updating my phone would fix that.
not only did it not fix it, it also introduced a new bug that seems to have come from the jump from the ios 17.5 sdk to the ios 18 sdk!

the infinite scrolling in my app now jumps or stutters to the bottom when the contents of the list update, which completely fixes itself when reverting to an old version of xcode/the ios sdk.
unfortunately, the ios 17.5 sdk will not be supported by app store connect in exactly a month from now, so that means that i can't stay on this version forever if i want to keep uploading to testflight.

unfixable issues like this really sour me away from swiftui, even if the alternative platform for android (jetpack) is about as bad if not worse.
at this point, i'm just holding out for xcode 16.3 and the 18.4 sdk included with it hoping that it'll fix the bug, since i have almost no way to submit any sort of feedback for this due to how complicated my app is.

in other news

happy first blog post of 2025! don't think anyone really reads these since they're so rambly and probably kinda boring, but hey, i like writing 'em.

the website now preloads the css for all the pages, so no more white flashing like there was before, and i've added a new projects page! thought it'd be nice to have the stuff i've made actually here somewhere rather than the stray github link on /whoami.
also been adding some new cat pictures as well, hope someone enjoys seeing dodo!
written march twenty-fifth, 2025

tumblr's api is so busted

i use my own private tumblr app for browsing since i'm stuck on ios 14, which means i have to interact with the tumblr api.

now, this doesn't sound like a huge issue until you realize that the tumblr api can sometimes be just completely deranged!

opening a timeline for a specific tag sounds simple enough, right? wrong!

in most timeline-esque responses to tumblr, a _links field is populated with the next url as an href field. this url is completely percent encoded, meaning it plays nicely with oauth1.0, the auth that the mobile versions of tumblr usually use.

..except it isn't. on requests to /hubs/{tag}/timeline urls, a hub_name parameter (an exact duplicate of the tag in the path) is randomly sent attached to this url! this wouldn't be a problem if this parameter was percent encoded, but it isn't!

for some reason, this parameter is not percent encoded, and even is different between being in the url and out of it.
alongside the href, the paremeters themselves are also sent as an object (in case you want to build the URL yourself). take the tag "digital art" for example. in the href, it appears as "digital+art". in the object, it appears as simply "digital art".

this caused my oauth to fail, and trying to figure out why this specific request was not working was an absolute pain. in the end, i landed with this beautiful solution:

links?.next.href.replacingOccurrences(of: "&hub_name=^(.*?)&", with: "", options: .regularExpression, range: nil)

yea, i just matched out the query parameter. i'm sure that's not gonna break anything somehow.. thanks tumblr!
written november fourth, 2024

lets get silly!

stuff i've been working on! again!

made a neat lil' companion to my youtube music desktop app, its an app that displays what's playing!
wrote it for an old lenovo smart clock 2 that i had lying around, out of use since its discontinuation broke some music things, and i had replaced it with a google home hub.

using some clever calendar and accessibility tricks, it's possible to install other apps!
(it's also possible to root! i didn't need that here, though)

after installing a different launcher and keyboard, and setting up some alternative ways to navigate thanks to the lack of a navbar (it has a bump sensor on the top!), i installed (of course) minecraft PE 1.0.0 to test it out, and it worked actually really smoothly! (so long as the render distance wasnt changed)


after messing around with that, i threw together a plugin in javascript and a companion app in kotlin (this was my first experience with android apps! it wasn't fun..), here's the (basically) finished product!



i don't think i ever wanna use kotlin again xwx
written august second, 2024

stuff! wow!

hello! i think i should probably throw an update on what i've been doing here.
recently i've been working on a few things! phosphor and wisp are the main two.

phosphor is a tumblr client for my ridiculously out of date iphone i keep on ios 14.1, that doesn't support the latest tumblr anymore, written completely in swiftui.

wisp is a discord status tweak for youtube music on ios! that one might actually get a release at some point..

i'm pretty happy with how those are going.
been thinking about maybe making a shark version of my main oc, not sure yea
written july ninth, 2024

everything is bots now

do you ever feel like there's no humans on the internet sometimes? sometimes it really feels like its all robots..

i was scrolling reddit earlier, and saw a post with a cat picture. open the comments, and i see the original poster of this cat from 4 years ago say that this is their cat..?

sure enough, it is their cat. this is all just a bot taking people's pictures and posting them for.. karma?
and this problem isn't just with cat photos! anywhere on popular, check the comments, the top ones are just bots copying comments from an earlier post..

and for what? what's the point of this? just makes everything feel more empty..
written april twenty-third, 2024

is this thing on?

...and we're back! site's been down for a while because i upgraded the server without moving the site over.. i'll start working more on this place soon!

i've been working a bit on my art skills recently too! so.. that might make an appearance here as well!
written march first, 2024 (happy new year!)

cat

until i figure out a design for subpages, here's a cat picture right here

weird distortion occurred from night shift, thought it looked cool
written december fourth, 2023

building reality... please wait...

got tired of my website looking like every single SEO optimized news site on the planet, so we're here now

on the bright side, soon you'll be able to actually look at the pictures of my cats that i just never added to the old one! (and as a bonus, this loads on super old browsers now [it loads on my blackberry bold 9930!])

right now this is pretty barren, but i swear there'll be more stuff here once it isn't just this index.html
written december third, 2023