Why Nostr? What is Njump?
2024-10-25 16:54:22

Braydon Fuller on Nostr: Do not enter your private key into a web app! Why are there Nostr apps that are doing ...

Do not enter your private key into a web app! Why are there Nostr apps that are doing this?

Second, a dependency supply chain attack could make even signer apps leak passwords.
**Security Update**

I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.

Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.

What I've done:

- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening

What you should do:

- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle

The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.

I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
Author Public Key
npub1r0ulywwu593kzjdu9uluxdq80t54n65kql9vl9z7lrutkgnachssk7zzyc