**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
Replies (23)
Thanks for disclosing. Would this affect nostr browser extension logins through nos-2x or Spring Browser?
This is why we need to be vigilant with signing apps. Only give your nsec to a signing app, that way you never share it with anything else.
Were the keys ever stored (not just transmitted) in plain text on bugsnag, like could you login to that platform and see them?
1. I'm lucky to have always used nostr apps with key signing extensions on both phone and laptop.
2. I didn't know Coracle had an apk...
hodlbod
**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
View quoted note →
Damn, too bad. That must really suck. Good luck and I hope you get this all figured out.
Thanks for letting us know. I appreciate your openness and disclosure. All good. π«‘
The response we wish to see everywhere on the web, that we don't!
hodlbod
**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
View quoted note →
based honesty. keep doing what you do hodlbod; we appreciate you. π«
Normalizing using many keys for different use cases might be an improvement as well.
Keys are simple, external 3rd party dependencies aren't (and, as you note, may not be any more secure). It's all about ease of use for non-technical users. But the days of nsec login are numbered, we just need really solid flows for secure custody. nsec.app comes close.
Some fuck up was bound to happen with using nsecs to login
hodlbod
**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
View quoted note →
Honest devs should be Zapped! Thank you
It's a good start, but ultimately a custodial honeypot. Self-hosted bunkers are much better, but hard for normies. Multisig could be a great way to solve this, I know it's been worked on some.
π«
Thank you for the disclosure. π π
I remember someone proposed to unlock btc wallets with nsec nostr key.
Mmmm bad idea.
Imagine if we had institutional transparency like this.
View quoted note βnot your keys not your korn
I used alby, but Is there a way to check if my key was compromised with my npub?
@hodlbod Does this note imply someone else had your bugsnap API key a couple of weeks ago?
hodlbod
Would whoever is running whatagent.net please remove my bugsnag api key from your deployment, it
"Would whoever is running whatagent.net please remove my bugsnag api key from your deployment, it's clogging up my error reporting."
You should be fine, that's exactly the point of using signer extensions: You don't give your private key to 3rd party websites, but websites instead request signatures from an extension.
That's why you should always use an extension signer like Nos2x-Fox when signing up on different web clients...
"The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone."
hodlbod
**Security Update**
I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.
What I've done:
- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening
What you should do:
- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle
The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.
I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.
View quoted note →
This week on #nostr.
@Vitor Pamplona wrote a piece on relay management
View article β
#AlbyGo 1.7 dropped
View quoted note β
#Yakihonne introduces smart widgets with 2.0.
@Derek Ross instantly jumped on it.
View quoted note β
@The Nostr Review got some stats for us.
View quoted note β
#YakiHonne 2.0 is live
View quoted note β
@utxo the webmaster π§βπ» announces Haven 1.0
View quoted note β
@iefan ποΈ with a NostrHub update
View quoted note β
#BTCPay 2.0 has landed
View quoted note β
@walker goes all-in on #zapstream with the Bitcoin Podcast.
View quoted note β
@Alex Gleason is working on a new r3emote signer and nsec bunker
View quoted note β
Multi-million dollar NGO planning to use GrapheneOS
View quoted note β
@Maya Parbhoe talking about using nostr in Surianame
View quoted note β
Amazing drone show in Lugano.
View quoted note β
#Coracle security issue, reported fixed by
@hodlbod
View quoted note β
@YEGHRO pushed an update to his inactive user tool. It now has bling!
View quoted note β
@fiatjaf merged something into #nostter
View quoted note β
/thread, Happy Weekend
