I said I welcomed dumb questions in this territory. Well, I have one.
I have become addicted to sending messages to lightning addresses attached to nominal transactions. I know a lot of us are doing this on Stacker News. How private are these messages?
I assume the messages would be visible to the nodes routing the transactions. Should we assume SN can read these messages if they're so inclined?
Also, would it be correct to assume there is more privacy when using a non custodial wallet as opposed to a custodial one like the SN wallet?
pull down to refresh
27.1k sats \ 68 replies \ @kepford 17 Dec 2023
So you can use this to see if someone has more than 250k sats.
https://m.stacker.news/8391
reply
353 sats \ 43 replies \ @ek 17 Dec 2023
Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this.
Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :)
/cc @k00b
reply
5555 sats \ 7 replies \ @beorange 17 Dec 2023
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a https://securitytxt.org/ can be more helpful, since it is becoming more and more standard.
reply
0 sats \ 6 replies \ @ek 17 Dec 2023 freebie
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
Are you saying reading source code is the same as reading a README?
560 sats \ 15 replies \ @kepford 17 Dec 2023
Dang. You are totally right and I should have known better. Please accept my apology. Just didn't think about it from that angle but I should have.
reply
10 sats \ 14 replies \ @ek 17 Dec 2023 freebie
No worries, we all learn our lessons at some point :)
reply
334 sats \ 2 replies \ @siggy47 OP 17 Dec 2023
Hey! Who's the aggrieved party here anyway? :)
I'm curious. Did this same warning appear when it was at the 500k and 1 mil level?
reply
198 sats \ 1 reply \ @ek 17 Dec 2023
Yes. This kind of error message existed since Aug 30, 2022 according to our commit history. But no one has seemed to notice so far.
But you're right.
We also learned a lesson, I guess, haha :)
reply
0 sats \ 0 replies \ @siggy47 OP 17 Dec 2023
I know I never so it until yesterday. Probably because balance threshold was higher
reply
0 sats \ 10 replies \ @nemo 17 Dec 2023
deleted by author
reply
131 sats \ 9 replies \ @ek 17 Dec 2023
I think it's not as severe; especially because there is no proof of exploit so someone would have to write code first to really efficiently leak user balances. I tried to do this myself to see the impact and I noticed it's not as easy for reasons I don't want to irresponsibly disclose here, lol
Imo, this change will already fix it enough.
reply
1352 sats \ 0 replies \ @kepford 17 Dec 2023 freebie
I didn't even think it was a bug let alone a serious one. LOL.
If the limit were higher though it would have more impact.
reply
334 sats \ 6 replies \ @kepford 17 Dec 2023
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
reply
10 sats \ 5 replies \ @ek 17 Dec 2023
Haha, it's okay, it happens :) You can review the "fix" if you want though
view replies
179 sats \ 0 replies \ @nemo 17 Dec 2023
deleted by author
reply
1 sat \ 15 replies \ @Natalia 17 Dec 2023
👀
reply
0 sats \ 14 replies \ @ek 17 Dec 2023 freebie
The funny thing is:
This is (one of) the first real vuln we have and it was disclosed publicly.
There were some people who thought they found something serious and did a responsible disclosure.
But all of them didn't do enough DD and just assumed it's a vuln and immediately contacted us, probably feeling FOMO because they might receive a huge bounty if they are the first to report, lol
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
563 sats \ 2 replies \ @nemo 17 Dec 2023
deleted by author
reply
198 sats \ 1 reply \ @ek 17 Dec 2023 freebie
Mhh, we should at least consider changing it.
reply
0 sats \ 0 replies \ @ek 18 Dec 2023
Just found out that we also use it for our LN node in Amboss.
reply
10 sats \ 23 replies \ @siggy47 OP 17 Dec 2023 freebie
I'm glad you brought that up. I get messages and honestly I often have more than 250k in my wallet, or am I mistaken. Also, would sending to a lightning address be considered creating an invoice? Thanks for the reply. That error message confused me.
reply
354 sats \ 6 replies \ @TonyGiorgio 17 Dec 2023
Wow, had no idea. I'm currently at 251k and didn't realize I have stopped receiving zaps. Something should be stated to help educate this. A warning icon or something would be great.
reply
0 sats \ 1 reply \ @k00b 20 Dec 2023
Zaps on sn aren’t stopped. Just invoices adding external sats
reply
0 sats \ 0 replies \ @TonyGiorgio 20 Dec 2023
that's a big deal for people using SN as an LNURL address on nostr.
reply
0 sats \ 3 replies \ @ek 20 Dec 2023 freebie
I think a banner saying something like this:
when their wallet is over the limit might make sense that a user can click away when they've seen it?
/cc @k00b
196 sats \ 10 replies \ @WeAreAllSatoshi 17 Dec 2023
Sending to a lightning address does generate an invoice under the hood.
reply
0 sats \ 9 replies \ @siggy47 OP 17 Dec 2023
Thanks for the info. So stackers here need to keep balances below 250k to message others?
reply
175 sats \ 0 replies \ @kepford 17 Dec 2023
It appears so.
reply
175 sats \ 7 replies \ @WeAreAllSatoshi 17 Dec 2023
To receive messages, I think? Though I didn’t think the limit was that low. It’s been a minute since I’ve been in the code though
reply
10 sats \ 5 replies \ @siggy47 OP 17 Dec 2023
Maybe that low limit is new, because I'm pretty sure I've messaged with a wallet balance more than 250k?
reply
265 sats \ 4 replies \ @WeAreAllSatoshi 17 Dec 2023
I think it’s the recipients balance that matters, not the senders balance. But in any case, if you’ve had a message exchange back and forth while maintaining a balance over 250K, that would suggest the limit was higher.
reply
335 sats \ 1 reply \ @SpaceHodler 17 Dec 2023
If it was the sender's balance, it wouldn't be a vulnerability. The ability to find out yourself you have > 250k sats is a well-known feature :)
view replies
10 sats \ 0 replies \ @siggy47 OP 17 Dec 2023
Earlier today was the first time I saw that error message. It just seems really low.
reply on another page
0 sats \ 0 replies \ @kepford 17 Dec 2023
Correct. It is the receiver
reply on another page
0 sats \ 0 replies \ @kepford 17 Dec 2023
The limit has changed fairly recently I think.
reply
175 sats \ 4 replies \ @kepford 17 Dec 2023
It was you address I used.
reply
0 sats \ 3 replies \ @siggy47 OP 17 Dec 2023
I thought so. Were you aware of the 250k limit? I guess I never got the memo.
reply
175 sats \ 2 replies \ @kepford 17 Dec 2023
I was. Hit it the other day.
reply
353 sats \ 1 reply \ @nemo 17 Dec 2023
deleted by author
reply
434 sats \ 0 replies \ @nemo 17 Dec 2023
deleted by author
reply
243 sats \ 0 replies \ @Walletano 17 Dec 2023
For example we provide advertising messages to lightning addresses on satsforads.net.
On interactive campaigns, we send unique URLs to each lightning address to claim even more sats. These unique URLs are something like: https://satsforads.net/v/ZzVs-2-fce61af57ac94ff159a3398da940830e.
Even if somebody finds this message along the way, we are good because:
- one additional view to the campaign (our advertiser will be happy as his message / content / video reaches one more user for free)
- the sats can only be claimed by the intended lightning address.
reply
307 sats \ 0 replies \ @WeAreAllSatoshi 17 Dec 2023 freebie
Non custodial wallets receiving lightning address invoices with messages using LUD-12 still require a web server to handle the lightning address send flow, so presumably you’re either having that done for you via a service provider, or you’ve implemented your own, which most people probably have not. In the former, whoever runs the web service which supports your lightning address would have access to the messages attached to the payments.
Having implemented LUD-12 for SN, this is my understanding. If anyone spots an error in this, please share!
reply
285 sats \ 0 replies \ @WeAreAllSatoshi 17 Dec 2023
LUD-12? Yes. Keysend? No (from my limited understanding)
reply
275 sats \ 11 replies \ @ek 17 Dec 2023 freebie
Definitely yes. This system was never intended for DMs.
For me, this system is just another example how people assume that things are secure just by expectation since DM systems usually use E2EE since a while.
But as mentioned, this was never meant to be used for DMs. I think @WeAreAllSatoshi just wanted us to support more LNURL features.
reply
334 sats \ 0 replies \ @WeAreAllSatoshi 17 Dec 2023
Correct. I was aiming for more complete spec compliance
reply
179 sats \ 7 replies \ @siggy47 OP 17 Dec 2023
Thanks for the info. I still think it's a useful tool to have available on SN. It's a way to direct message fellow stackers on individual stuff without annoying everyone. It's just good to have a low expectation of privacy.
reply
404 sats \ 6 replies \ @ek 17 Dec 2023 freebie
I agree, I use it myself.
Exactly. The only problem I have with it is that people (as this post shows) may have a false sense of privacy while using it.
reply
0 sats \ 5 replies \ @siggy47 OP 17 Dec 2023
Has it always been limited to wallets having less than 250k sats?
reply
385 sats \ 4 replies \ @ek 17 Dec 2023 freebie
No, the first limit for deposits was 1M sats iirc. It was decreased from 500k to 250k 2 days ago.
However, keep in mind that this doesn't mean your wallet can only hold 250k sats now. You can still have more by getting zapped, you just can't deposit more than that. We call this a soft limit. We're doing this because we are not and we do not want to be a wallet provider because of legal exposure.
reply
155 sats \ 3 replies \ @siggy47 OP 17 Dec 2023
Aha! So I'm not crazy. I knew I was messaging people before who I can't message now. Good to know. I will adjust my wallet balance more often.
reply
353 sats \ 2 replies \ @nemo 17 Dec 2023
deleted by author
reply
133 sats \ 1 reply \ @siggy47 OP 17 Dec 2023
Right after the edit period expired I realized I should rethink that response
view replies
175 sats \ 1 reply \ @ek 17 Dec 2023 freebie
Btw, forgot to mention: Great post @siggy47!
Since people started to use LUD-12 for DMs, I've been wondering if people just know that someone like Snowden should probably not use this to plan his next steps, or if they simply assume that as secure as any other DM system.
Finally someone asked for clarification, lol
reply
309 sats \ 0 replies \ @quark 17 Dec 2023
Thanks for clarification. It is hard to verify code of everything, no time for it, and the easy thing is to trust that everything is safe and private. And many people don't have any other choice since they don't know to read code. But we shouldn't assume something is good if there is no link to some information about how it works at least.
reply
175 sats \ 1 reply \ @fred 17 Dec 2023
I can attest that LN invoice is more private than a LN address transaction
reply
0 sats \ 0 replies \ @ek 17 Dec 2023
deleted by author
reply