Hopefully most of us have been signing web clients using a browser extension, but for any standalone apps where the only option we have is to paste our key, the best we can do is pray there is no malicious or buggy code that will compromise us.
It’s past time we had a way to fix this, or anyone who thinks this experiment in open source decentralized communication will succeed is fooling themselves.
quoting note1x95…0saj**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.