pull down to refresh

I said I welcomed dumb questions in this territory. Well, I have one. I have become addicted to sending messages to lightning addresses attached to nominal transactions. I know a lot of us are doing this on Stacker News. How private are these messages? I assume the messages would be visible to the nodes routing the transactions. Should we assume SN can read these messages if they're so inclined? Also, would it be correct to assume there is more privacy when using a non custodial wallet as opposed to a custodial one like the SN wallet?
So you can use this to see if someone has more than 250k sats.
reply
Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this.
Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :)
/cc @k00b
reply
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a https://securitytxt.org/ can be more helpful, since it is becoming more and more standard.
reply
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
assuming that everybody will read the source code and be aware of that message in the "readme" file,
Are you saying reading source code is the same as reading a README?
Dang. You are totally right and I should have known better. Please accept my apology. Just didn't think about it from that angle but I should have.
reply
No worries, we all learn our lessons at some point :)
reply
Hey! Who's the aggrieved party here anyway? :) I'm curious. Did this same warning appear when it was at the 500k and 1 mil level?
reply
198 sats \ 1 reply \ @ek 17 Dec 2023
Yes. This kind of error message existed since Aug 30, 2022 according to our commit history. But no one has seemed to notice so far.
But you're right.
We also learned a lesson, I guess, haha :)
reply
I know I never so it until yesterday. Probably because balance threshold was higher
reply
deleted by author
reply
shouldn't responsible @kepford delete his original message?
I think it's not as severe; especially because there is no proof of exploit so someone would have to write code first to really efficiently leak user balances. I tried to do this myself to see the impact and I noticed it's not as easy for reasons I don't want to irresponsibly disclose here, lol
or is it all too late and the pressure is on to fix this in the background?
reply
I didn't even think it was a bug let alone a serious one. LOL.
If the limit were higher though it would have more impact.
reply
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
deleted by author
reply
đź‘€
reply
The funny thing is:
This is (one of) the first real vuln we have and it was disclosed publicly.
There were some people who thought they found something serious and did a responsible disclosure.
But all of them didn't do enough DD and just assumed it's a vuln and immediately contacted us, probably feeling FOMO because they might receive a huge bounty if they are the first to report, lol
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
deleted by author
reply
Mhh, we should at least consider changing it.
I'm glad you brought that up. I get messages and honestly I often have more than 250k in my wallet, or am I mistaken. Also, would sending to a lightning address be considered creating an invoice? Thanks for the reply. That error message confused me.
reply
Wow, had no idea. I'm currently at 251k and didn't realize I have stopped receiving zaps. Something should be stated to help educate this. A warning icon or something would be great.
reply
Zaps on sn aren’t stopped. Just invoices adding external sats
reply
that's a big deal for people using SN as an LNURL address on nostr.
reply
I think a banner saying something like this:
Your wallet is over the limit, you will not be able to deposit any more sats (or receive zaps from outside of SN). Please withdraw your sats.
when their wallet is over the limit might make sense that a user can click away when they've seen it?
/cc @k00b
Sending to a lightning address does generate an invoice under the hood.
reply
Thanks for the info. So stackers here need to keep balances below 250k to message others?
reply
It appears so.
reply
To receive messages, I think? Though I didn’t think the limit was that low. It’s been a minute since I’ve been in the code though
reply
Maybe that low limit is new, because I'm pretty sure I've messaged with a wallet balance more than 250k?
reply
I think it’s the recipients balance that matters, not the senders balance. But in any case, if you’ve had a message exchange back and forth while maintaining a balance over 250K, that would suggest the limit was higher.
reply
If it was the sender's balance, it wouldn't be a vulnerability. The ability to find out yourself you have > 250k sats is a well-known feature :)
Earlier today was the first time I saw that error message. It just seems really low.
Correct. It is the receiver
The limit has changed fairly recently I think.
reply
It was you address I used.
reply
I thought so. Were you aware of the 250k limit? I guess I never got the memo.
reply
I was. Hit it the other day.
reply
deleted by author
reply
deleted by author
reply
For example we provide advertising messages to lightning addresses on satsforads.net. On interactive campaigns, we send unique URLs to each lightning address to claim even more sats. These unique URLs are something like: https://satsforads.net/v/ZzVs-2-fce61af57ac94ff159a3398da940830e. Even if somebody finds this message along the way, we are good because:
  1. one additional view to the campaign (our advertiser will be happy as his message / content / video reaches one more user for free)
  2. the sats can only be claimed by the intended lightning address.
reply
Also, would it be correct to assume there is more privacy when using a non custodial wallet as opposed to a custodial one like the SN wallet?
Non custodial wallets receiving lightning address invoices with messages using LUD-12 still require a web server to handle the lightning address send flow, so presumably you’re either having that done for you via a service provider, or you’ve implemented your own, which most people probably have not. In the former, whoever runs the web service which supports your lightning address would have access to the messages attached to the payments.
Having implemented LUD-12 for SN, this is my understanding. If anyone spots an error in this, please share!
reply
Should we assume SN can read these messages if they're so inclined?
LUD-12? Yes. Keysend? No (from my limited understanding)
reply
Should we assume SN can read these messages if they're so inclined?
Definitely yes. This system was never intended for DMs.
For me, this system is just another example how people assume that things are secure just by expectation since DM systems usually use E2EE since a while.
But as mentioned, this was never meant to be used for DMs. I think @WeAreAllSatoshi just wanted us to support more LNURL features.
reply
Correct. I was aiming for more complete spec compliance
reply
Thanks for the info. I still think it's a useful tool to have available on SN. It's a way to direct message fellow stackers on individual stuff without annoying everyone. It's just good to have a low expectation of privacy.
reply
I still think it's a useful tool to have available on SN. It's a way to direct message fellow stackers on individual stuff without annoying everyone.
I agree, I use it myself.
It's just good to have a low expectation of privacy.
Exactly. The only problem I have with it is that people (as this post shows) may have a false sense of privacy while using it.
reply
Has it always been limited to wallets having less than 250k sats?
reply
No, the first limit for deposits was 1M sats iirc. It was decreased from 500k to 250k 2 days ago.
However, keep in mind that this doesn't mean your wallet can only hold 250k sats now. You can still have more by getting zapped, you just can't deposit more than that. We call this a soft limit. We're doing this because we are not and we do not want to be a wallet provider because of legal exposure.
reply
Aha! So I'm not crazy. I knew I was messaging people before who I can't message now. Good to know. I will adjust my wallet balance more often.
reply
deleted by author
reply
Right after the edit period expired I realized I should rethink that response
Btw, forgot to mention: Great post @siggy47!
Since people started to use LUD-12 for DMs, I've been wondering if people just know that someone like Snowden should probably not use this to plan his next steps, or if they simply assume that as secure as any other DM system.
Finally someone asked for clarification, lol
reply
Thanks for clarification. It is hard to verify code of everything, no time for it, and the easy thing is to trust that everything is safe and private. And many people don't have any other choice since they don't know to read code. But we shouldn't assume something is good if there is no link to some information about how it works at least.
reply
I can attest that LN invoice is more private than a LN address transaction
reply
deleted by author
reply