Add CloakBin in Pastebins

[Ishannaik]

Type

Addition

---

Changes

Adds a new Pastebins subsection under Productivity with CloakBin — an open-source zero-knowledge encrypted pastebin with client-side AES-256-GCM encryption. The decryption key stays in the URL fragment (#key), never sent to the server.

---

Supporting Material

• Website: https://cloakbin.com
• Source code: https://github.com/Ishannaik/CloakBin
• License: AGPL-3.0
• Encryption: AES-256-GCM, client-side only, key in URL fragment

---

Affiliation

I am the developer of CloakBin.

---

Checklist

• I have read the Contributing guide, and confirmed my PR aligns with the requirements
• I have performed a self-review (valid Markdown formatting, spelling, and grammar)
• I have indicated whether I have any affiliation with any software / services added
• I agree to follow the repositories Contributor Covenant Code of Conduct

[liss-bot]

Hello @Ishannaik

Thank you for contributing to Awesome Privacy! We will review your submission shortly. In the meantime, please ensure all changes are correct and inline with our Contributing Requirements.

Our automated checks detected some issues:

• Did you include all required fields? Looks like icon is missing or invalid. Please see the required fields for available fields.
• Please make just one addition per pull request
• New entries must be added to the end of the section, unless otherwise requested
• Description length (358 chars) is outside the recommended 50–250 character range. Please see our Contributing Guidelines

Note

I am a bot, and sometimes make mistakes in my suggestions. But a human will review your submission shortly!

Summary of Changes:

• Added CloakBin in Productivity → Pastebins
• Added PrivateBin in Productivity → Pastebins
• Added section Pastebins in Productivity

Submission Info

Website Checks

• 🟢 Status: 200
• 🟢 HTTPS: Yes
• 🟢 Blacklist: Not listed
• 🟢 Redirect: None
• 🟢 Risk Score: 0
• 🔴 HSTS: Missing
• 🔴 CSP: Missing
• 🔴 X-Frame-Options: Missing
• 🟢 Security.txt: Present
• 🔵 Server: 216.198.79.1, AS16509
• 🔵 Server Location: Walnut, California, United States of America
• 🔵 Title: CloakBin - Free Encrypted Pastebin | Zero-Knowledge Encryption

Repo Stats

• 🟢 License: GNU Affero General Public License v3.0
• 🟠 Repo Age: 1 year, 12 months
• 🟢 Last Updated: today
• 🔴 Releases: 0
• 🔴 Stars: 8
• 🔴 Contributors: 1
• 🟢 Is Fork: No
• 🟢 Is Archived: No
• ⚪ Security Alerts: Unknown
• 🟢 Vibe Coded: 0 AI commits
• 🔵 Commits: 30
• 🔵 Open Issues: 0
• 🔵 Website: https://cloakbin.com
• 🔵 Author: Ishannaik
• 🔵 Languages: Svelte, TypeScript, CSS, JavaScript, HTML

^{The above data does not determine a submissions eligibility. Human review is still needed.
Key: 🟢 = good. 🟠 = warning. 🔴 = attention required. 🔵 = info. ⚪ = unknown.}

^{For full details, please see workflow run 22987332806}

---

Updates

Edit 1: - 1 issue was resolved, but 3 checks are still failing, see here for details
Edit 2: - 3 checks are still failing, see here for details
Edit 3: - 2 checks are still failing, see here for details
Edit 4: - 6 checks are still failing, see here for details
Edit 5: - 2 checks are still failing, see here for details
Edit 6: - 2 checks are still failing, see here for details

[lissy93]

Hey @Ishannaik

Thanks for your PR! CloakBin looks really cool.

But I did try out the app, and took a quick look at it's code. And I don't think it's quite at the level needed to be listed here. Especially in terms of privacy and security.

In the Listing Requirements section of the contributing guides, we say that a project needs to be at least 4 months since first release, Actively maintained, Functional, Mature and not entirely vibe coded.
It's very common for projects which don't meet these requirements to have issues very similar to those seen identified in CloakBin, and that's why we put those requirements in place.

Feel free to re-submit once requirements met, and issues resolved

[lissy93]

Update: The contact form not working and security.txt is not present 😔
But I think it's okay to share the findings here, since doesn't appear to be any real users yet.

I hope this won't come accross as too negative. I do think that CloakBin is a cool app, it's just still in the early stages, and needs a human to proof-read the AI-generated code.

Summary: 8 security suggestions, 4 privacy issues, and 4 requirements for listing not met.

---

Security

Cache Poisons isOwner field to all viewers on Vercel (CWE-525)

Paste API responses are getting served with cache-control: public, immutable and no Vary header. And Vercel's CDN is caching the full JSON response.

Even after a paste is deleted or expired, the cache persists meaning the paste is still accessible. Likewise max-age doesn't exist on expiring pastes. Also, this cached data include user-specific fields, like isOwner. An unauthenticated user sees isOwner as true if the owner has viewed the paste previously, or the owner could see isOwner as false if a viewer has viewed the paste previously.

Burn after read is broken (CWE-367)

I'm able to read view-once a paste multiple times, without it ever getting deleted. This is because you're handling the logic purley in your frontend (in src/routes/p/[id]/+page.svelt), instead of calling the deletion endpoint during the API read process.

User data not well protected (CWE-284)

The frontend is exposing internal API endpoints which should not be needed in the frontend at all, and which reveal personal data from all other users.
For example calling /admin/__data.json reveals:

• Database: ■■■■MB data, ■■■■MB indexes, ■■■■MB storage, ■■■■MB limit
• Pastes: ■■■■ total, ■■■■ today, ■■■■ with password, avg ■■■■ bytes
• Revenue: MRR $■■■■ USD, ■■■■ active Stripe subscription from ■■■■@■■■■.■■■■
• Users: ■■■■ total (■■■■ premium, ■■■■ admin, ■■■■ free, ■■■■ online - all appear to be test users)
• All paste metadata: IDs, user IDs, view counts, timestamps, deletion dates
• View all pastes belonging to other users

Privilege escalation allows full upgrade and admin access (CWE-269)

On production, any user can set their role to "admin" and isPremium to true, and grant themself full access to the superadmin dashboard, including all paste metadata, user statistics, revenue data, and database storage info for all users. From here they have full read/write access to export/modify/delete all user data.

Likewise, user data is not well protected - open endpoints allow the viewing of the user's PII including full name/email, IP address / last known IP, last known login, Stripe customer IDs/subscriptions, ban status, etc.

Admin Session Forgery / Auth Bypass on Self-Hosted (CWE-565)

The session token for the admin is just base64(username + ":" + timestamp), with no HMAC, signature, or server-side secret. And the validation only checks that the decoded username matches ADMIN_USER and the timestamp is within 24 hours, with no cryptographic binding between the token and the server.

So, if you know the ADMIN_USER name or if an instance still has the default (admin), then getting access to the admin account is as simple as running document.cookie = "admin_session=" + btoa("admin:" + Date.now()) + "; path=/"; and then navigating to /admin.

This gets set in src/routes/admin/login/+page.server.ts and checked in src/hooks.server.ts.

Unauthenticated endpoints allows paste theft + destruction (CWE-862)

Anybody can call endpoints like POST /api/paste/[id]/burn without any auth, and destroy other peoples pastes.

Password Reset Leaks Email Existence (CWE-204)

Sending a request to POST /api/auth/forget-password returns distinguishable responses (if email exists it has {"status":true}, otherwise if user doesn't exist it includes message attribute too). This allows attackers to identify wheather a given user has an account or not.

BetterAuth CSRF Bypass (CWE-352)

All /api/auth/* endpoints accept cross-origin requests with Origin: https://evil.com, bypassing SvelteKit's CSRF protection entirely. Any attacker hosted pages have the abilty to access/modify user data. This is especially potent since most endpoints don't have validation/confirmation. So, for example a single request to fetch('/api/auth/delete-user', {method:'POST', body:'{"callbackURL":"/"}'}) deletes the user entirly.

---

Privacy

And, a few minor comments from the privacy policy

• Missing / undisclosed third-party services in the privacy policy: Umami Analytics, UploadThing, Google Fonts, etc
• Analytics is not "opt-in" as policy suggests, Umami analytics is loaded for all users/visitors
• The wording of "we cannot read your pastes" gives the impression that paste activity is not tracked, but admins can see all pastes/ paste types / view counts
• Policy says "Security data: Retained during paste/account existence" but fields like user lastIP persists indefinitely even after sessions expire.

---

Elegibility

For now, CloakBin was marked as ineligible for listing here, because some of the project requirements from the contributing guide weren't yet met:

• Not mature and not 4 months since first release (repo has not yet had a release)
• Not fully open source (version running is not the same as in the github repo)
• Not secure (several critical issues were discovered within a few mins of checking)
• Not fully functional (app was very buggy, quite a lot of things were slow, crashed of didn't work as expected)

[Ishannaik]

Hey @lissy93 thank you so much for this incredibly thorough review.

This is the most detailed and well-documented security feedback I've received, complete with CWE references and reproduction steps. I really appreciate you taking the time.

Quick request: Would you mind editing out the specific data points from your comment (email addresses, revenue, figures, user counts, database stats)? That data was exposed through the __data.json vulnerability you identified which is now fixed but it's still visible here.

Some context: CloakBin is my first SaaS project been building it solo for about 3-4 months, mainly to learn SvelteKit and modern web security. Your review was a wake-up call and I treated it as a priority. Every single issue has been addressed.

Security (8/8 fixed)

Issue	Fix
Cache poisoning (CWE-525)	Paste API → Cache-Control: private, no-store
Privilege escalation (CWE-269)	input: false on all sensitive Better Auth fields
CSRF bypass (CWE-352)	Removed /api/auth/* CSRF exemption
Admin session forgery (CWE-565)	HMAC-SHA256 signed tokens + timingSafeEqual
Burn after read (CWE-367)	Atomic POST /burn with findOneAndDelete
Admin data exposure (CWE-284)	Auth guards in every load function + form action
Unauthenticated DELETE (CWE-862)	Public DELETE handler removed entirely
Email enumeration (CWE-204)	requireEmailVerification: true (OWASP compliant)

Privacy (3/3 addressed)

Issue	Fix
Third-party disclosures	Umami + Google Fonts added to privacy policy
Analytics opt-in	Was already consent-gated (data-exclude-hash="true")
IP data retention	90-day auto-cleanup cron + privacy policy updated

Other:

• security.txt - was at /.well-known/security.txt, added /security.txt redirect for scanners
• Contact form - working (Discord webhook), may have been temporary when you tested
• Security headers - HSTS, CSP, X-Frame-Options all present via middleware (confirmed with web-check.xyz)

Commit: Ishannaik/CloakBin@966824c

On the zero-knowledge design

Something I'd love your perspective on CloakBin follows the same philosophy as https://paste.parinux.org/faq/:

▎ "0bin is not built to protect user data but rather the host. The host has plausible deniability as they cannot
know the content of the pastes."

Even if every vulnerability you found was exploited simultaneously, no attacker could read a single paste. The
encryption key lives in the URL fragment never sent to the server, never logged, never cached. The admin panel shows
paste metadata (timestamps, sizes, view counts) for abuse prevention, but never content. This is by design, the
encryption protects both users and the operator.

On the open-source vs hosted difference — the hosted version (cloakbin.com) has a few additional premium features (Stripe billing, custom URLs, API keys), but the core encryption and paste engine is the same codebase. The premium features will gradually be ported to the open-source repo. Think of it like GitLab CE vs EE, same core, extra features for the hosted service to cover hosting costs.

Gave you a follow, thanks again for the review.

[lissy93]

Heya,

Would you mind editing out the specific data points from your comment

Oops, I'm sorry for including that data - when I wrote this up, I intended to email it, and then forgot to edit it out before sharing here 😳

Also, when I tried the app, I did so in a VM which has now been destroyed, so rest assured I do not have a copy of any of the data.

---

Some context: CloakBin is my first SaaS project been building it solo for about 3-4 months, mainly to learn SvelteKit and modern web security.

And it's a really good project! Svelte + SvelteKit are my fave stacks for building apps like this too.
I've definitely made a lot of similar mistakes over the years, and I am sure most developers have too.

Keep building 🫡

---

Even if every vulnerability you found was exploited simultaneously, no attacker could read a single paste.

Very true - your encryption logic is solid 💪
And, that's the most important thing

---

On the open-source vs hosted difference — the hosted version (cloakbin.com) has a few additional premium features (Stripe billing, custom URLs, API keys), but the core encryption and paste engine is the same codebase.

If it helps, a lot of my apps have a similar approach of being open source, but then also having a SaaS version. The way I do it, is just a single codebase (everything is public) but then configure features via env vars.

And yes - that does mean that self-hosted users can use premium features for "free". But if they're self-hosting, they're probably not the type of user who was going to pay for the product anyway. Paying customers are paying for the convenience, not the code.

And (at least for me), I think that helps the projects grow, since more contributors and users overall. Even if I did loose out on one or two paying customers, having million+ downloads can be more valuable in the long-run (and leads to other revenue sources, like corporate sponsors).

A different approach, would be one like ag-grid's. Again they have everything public, but then they have a licence which requires payment to use any of the premium code. And this seems to work really well for them.

[PythonGermany]

Oops, I'm sorry for including that data - when I wrote this up, I intended to email it, and then forgot to edit it out before sharing here 😳

FYI @lissy93, I can still see the redacted pieces of information from this comment #420 (comment) via the comment edit history. To completely remove it you also have to delete the revision of the comment as described here.

[lissy93]

Thank you @PythonGermany - done

[Ishannaik]

Heya,

Would you mind editing out the specific data points from your comment

Oops, I'm sorry for including that data - when I wrote this up, I intended to email it, and then forgot to edit it out before sharing here 😳

Also, when I tried the app, I did so in a VM which has now been destroyed, so rest assured I do not have a copy of any of the data.

Some context: CloakBin is my first SaaS project been building it solo for about 3-4 months, mainly to learn SvelteKit and modern web security.

And it's a really good project! Svelte + SvelteKit are my fave stacks for building apps like this too. I've definitely made a lot of similar mistakes over the years, and I am sure most developers have too.

Keep building 🫡

Even if every vulnerability you found was exploited simultaneously, no attacker could read a single paste.

Very true - your encryption logic is solid 💪 And, that's the most important thing

On the open-source vs hosted difference — the hosted version (cloakbin.com) has a few additional premium features (Stripe billing, custom URLs, API keys), but the core encryption and paste engine is the same codebase.

If it helps, a lot of my apps have a similar approach of being open source, but then also having a SaaS version. The way I do it, is just a single codebase (everything is public) but then configure features via env vars.

And yes - that does mean that self-hosted users can use premium features for "free". But if they're self-hosting, they're probably not the type of user who was going to pay for the product anyway. Paying customers are paying for the convenience, not the code.

And (at least for me), I think that helps the projects grow, since more contributors and users overall. Even if I did loose out on one or two paying customers, having million+ downloads can be more valuable in the long-run (and leads to other revenue sources, like corporate sponsors).

A different approach, would be one like ag-grid's. Again they have everything public, but then they have a licence which requires payment to use any of the premium code. And this seems to work really well for them.

Hey @lissy93, that's genuinely reassuring to hear. Hope to keep learning, and honestly brutal reviews like this one do more for growth than any course or tutorial ever could.

On the codebase split

The main reason I kept them separate was to keep the self-hosted version small and auditable. For a privacy tool,
fewer moving parts means less code to trust and less to go wrong. Adding premium dependencies like Stripe, billing
schemas, and webhook infrastructure means more to manage and a bigger attack surface, even when disabled. But I
completely see the value in a unified approach and I'll work towards finding that balance

On the ag-grid model

This is something I genuinely hadn't considered before. Keeping everything public but licence-gating premium features
is a much smarter long-term play. The way you framed it:

paying customers are paying for the convenience, not the code

Going to study how they structure it and see how it fits as CloakBin matures.

I am really grateful you went this deep instead of just closing the PR. One quick question, when would be a good time to
open a new PR?

[lissy93]

No problem :)

Btw, there's a new dedicated section for paste bins/secret sharing now (added in #456) - so it will fit in nicley there :)

One quick question, when would be a good time to open a new PR?

As a high-level guideline, when all these requirements are met.
But there some nuance, some points can't always apply to certain submission types. And the points don't cover a quality baseline, which is much harder to measure (but very important). Basically, everything listed here should be "awesome" and not just "okay" (so if core functionality is pay-walled, or the app is slow/buggy, then probably not awesome).

As an example, the other two paste bin apps listed serve as a good example. They're simple to use, reliable, easily auditable code, well battle-tested, and generally well written and secured.