**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
hodlbod /
npub1jl…jynqn
2024-10-25 16:12:36
Author Public Key
npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqnPublished at
2024-10-25 16:12:36Event JSON
{
"id": "3169146c22d4dd75ee8486afd6a163c95e63156729eb76ca93b0b8d2c4608ea7",
"pubkey": "97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322",
"created_at": 1729872756,
"kind": 1,
"tags": [
[
"client",
"Coracle",
"31990:97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322:1685968093690"
]
],
"content": "**Security Update**\n\nI've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.\n\nWho is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.\n\nWhat I've done:\n\n- I immediately released a new version of Coracle, both to web and to zap.store\n- I have deleted the affected apks from my releases\n- I have deleted all my error data from bugsnag\n- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped\n- I have audited my code for use of the session object to ensure nothing else like this is happening\n\nWhat you should do:\n\n- If you're logged in with your private key, log out\n- Hard refresh the page to ensure you have the latest version of Coracle\n\nThe bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.\n\nI take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.",
"sig": "a9939ef21b2802a90ede3c81468ff6ca405b6b6e9b4e7fa1fe69400dfcba130dc6b9311e1d6bc87c8515e78f0d562095e958f0e32dc549fb2ca1351e7bba1773"
}