Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this.
Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :)
/cc @k00b
reply
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a https://securitytxt.org/ can be more helpful, since it is becoming more and more standard.
reply
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
assuming that everybody will read the source code and be aware of that message in the "readme" file,
Are you saying reading source code is the same as reading a README?
Dang. You are totally right and I should have known better. Please accept my apology. Just didn't think about it from that angle but I should have.
reply
No worries, we all learn our lessons at some point :)
reply
Hey! Who's the aggrieved party here anyway? :) I'm curious. Did this same warning appear when it was at the 500k and 1 mil level?
reply
198 sats \ 1 reply \ @ek 17 Dec 2023
Yes. This kind of error message existed since Aug 30, 2022 according to our commit history. But no one has seemed to notice so far.
But you're right.
We also learned a lesson, I guess, haha :)
reply
I know I never so it until yesterday. Probably because balance threshold was higher
reply
deleted by author
reply
shouldn't responsible @kepford delete his original message?
I think it's not as severe; especially because there is no proof of exploit so someone would have to write code first to really efficiently leak user balances. I tried to do this myself to see the impact and I noticed it's not as easy for reasons I don't want to irresponsibly disclose here, lol
or is it all too late and the pressure is on to fix this in the background?
reply
I didn't even think it was a bug let alone a serious one. LOL.
If the limit were higher though it would have more impact.
reply
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
reply
Haha, it's okay, it happens :) You can review the "fix" if you want though
reply
deleted by author
deleted by author
reply
πŸ‘€
reply
The funny thing is:
This is (one of) the first real vuln we have and it was disclosed publicly.
There were some people who thought they found something serious and did a responsible disclosure.
But all of them didn't do enough DD and just assumed it's a vuln and immediately contacted us, probably feeling FOMO because they might receive a huge bounty if they are the first to report, lol
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
deleted by author
reply
Mhh, we should at least consider changing it.
I'm glad you brought that up. I get messages and honestly I often have more than 250k in my wallet, or am I mistaken. Also, would sending to a lightning address be considered creating an invoice? Thanks for the reply. That error message confused me.
reply
Wow, had no idea. I'm currently at 251k and didn't realize I have stopped receiving zaps. Something should be stated to help educate this. A warning icon or something would be great.
reply
Zaps on sn aren’t stopped. Just invoices adding external sats
reply
that's a big deal for people using SN as an LNURL address on nostr.
reply
I think a banner saying something like this:
Your wallet is over the limit, you will not be able to deposit any more sats (or receive zaps from outside of SN). Please withdraw your sats.
when their wallet is over the limit might make sense that a user can click away when they've seen it?
/cc @k00b
Sending to a lightning address does generate an invoice under the hood.
reply
Thanks for the info. So stackers here need to keep balances below 250k to message others?
reply
It appears so.
reply
To receive messages, I think? Though I didn’t think the limit was that low. It’s been a minute since I’ve been in the code though
reply
Maybe that low limit is new, because I'm pretty sure I've messaged with a wallet balance more than 250k?
reply
I think it’s the recipients balance that matters, not the senders balance. But in any case, if you’ve had a message exchange back and forth while maintaining a balance over 250K, that would suggest the limit was higher.
reply
If it was the sender's balance, it wouldn't be a vulnerability. The ability to find out yourself you have > 250k sats is a well-known feature :)
reply
For sure. The way siggy phrased one of his comments made me want to be painfully explicit lol
Earlier today was the first time I saw that error message. It just seems really low.
reply
Correct. It is the receiver
reply
The limit has changed fairly recently I think.
reply
It was you address I used.
reply
I thought so. Were you aware of the 250k limit? I guess I never got the memo.
reply
I was. Hit it the other day.
reply
deleted by author
reply
deleted by author
reply