[Security] Unrestricted file Upload

Description: When we install the browser. We are sent to localhost:8888. There under the profile section, we have an option to upload images. I noticed that there are no file upload restrictions hence an attacker can upload any kind of file like:-

• Upload and host a phishing page in HTML
• Execute malicious javascript
• Upload trojan/backdoors to infect the victim’s system

The request to the upload file looks like this

POST /store/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0 HTTP/1.1
Host: hub.blockstack.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/html
Authorization: bearer 
Origin: http://localhost:8888
Content-Length: 143
Connection: close
<html>
<body>
Easily send and receive tokens on the Blockstack Network.
<a href="https://evil.com">Fake installation file</a>
</body>
</html>

Proof of concept: This small proof can show we can host a fake page to mislead the victim users to download a malicious file to infect their system or host a phishing page (which can be any page not limited to gaia)

Visit the link to see the proof https://gaia.blockstack.org/hub/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0

Or execute client-side javascript

Additional Notes I know gaia and the browser is no more in use. But the impact is global here at the organization level. This bug affects all the users who are using blockstack. The fake pages are severed from the official block stack domain. The domain blockstack.org is trusted and an attacker can exploit that trust to host his own pages to lure the victims to download a backdoor or tempt him to giveaways his/her private keys/credentials by hosting a fake page/ false campaign etc. Again I want to emphasize that the impact here is global as it impacts all users. The overall concept of security is to protected users from bad/malicious actors.