353 sats \ 43 replies \ @ek 17 Dec 2023 \ parent \ on: How private are the messages in a LN transaction? bitcoin_beginners
Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this.
Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :)
/cc @k00b
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a security.txt can be more helpful, since it is becoming more and more standard.
reply
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
assuming that everybody will read the source code and be aware of that message in the "readme" file,
Are you saying reading source code is the same as reading a README?
reply
Are you saying reading source code is the same as reading a README?
I'm saying I never looked at the source code of stacker.news and I never even visited the repository. If I, for some reason, would find a problem/vulnerability, just by navigating the website I would not know how to report the issue.
I'm a user, not a programmer or developer, so I don't generally look at Github and other sites where you store/share the source code. Just out of curiosity, I've just checked the FAQ and there is in fact a line at the bottom of the page, but there is no index and that's a lot of scrolling and reading.
Someone motivated to report the issue would eventually find that information after some hops. Others less motivated, would not report or would write it in a comment, and I don't blame them.
I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.
reply
I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.
Ah ok, I see where the misunderstanding comes from. I must admit, I didn't read the link you provided properly. I just assumed that you meant we should create a
SECURITY.txt inside our repository. This didn't make sense to me since you mentioned you wouldn't look inside the repository anyway.But now I properly read what is written in the link. You mean we should have a security.txt hosted here. This makes sense, thanks! I will create a ticket for this.
but there is no index
There is an index:
We also have a search function integrated in the index:
reply
There is an index: We also have a search function integrated in the index:
ah ah! good catch, didn't know about that. Always learning.
reply
Always learning.
As we do :) Btw, thanks for your advice regarding security.txt. I appreciate it (my previous responses may not have sounded like I do, lol)
reply
deleted by author
reply
Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
/cc @evmbro
reply
deleted by author
reply
Mhh, we should at least consider changing it.
reply
Dang. You are totally right and I should have known better. Please accept my apology. Just didn't think about it from that angle but I should have.
reply
No worries, we all learn our lessons at some point :)
reply
Hey! Who's the aggrieved party here anyway? :)
I'm curious. Did this same warning appear when it was at the 500k and 1 mil level?
reply
Yes. This kind of error message existed since Aug 30, 2022 according to our commit history. But no one has seemed to notice so far.
But you're right.
We also learned a lesson, I guess, haha :)
reply
I know I never so it until yesterday. Probably because balance threshold was higher
reply
deleted by author
reply
shouldn't responsible @kepford delete his original message?
I think it's not as severe; especially because there is no proof of exploit so someone would have to write code first to really efficiently leak user balances. I tried to do this myself to see the impact and I noticed it's not as easy for reasons I don't want to irresponsibly disclose here, lol
or is it all too late and the pressure is on to fix this in the background?
reply
I didn't even think it was a bug let alone a serious one. LOL.
If the limit were higher though it would have more impact.
reply
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
reply
Haha, it's okay, it happens :) You can review the "fix" if you want though
reply
deleted by author
reply
LOL. Been waiting for that one.
deleted by author
reply
š
reply
The funny thing is:
This is (one of) the first real vuln we have and it was disclosed publicly.
There were some people who thought they found something serious and did a responsible disclosure.
But all of them didn't do enough DD and just assumed it's a vuln and immediately contacted us, probably feeling FOMO because they might receive a huge bounty if they are the first to report, lol
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
reply
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
I guess I might know what you are talking about? and about IP address, I tried different ways to test it. If someone keeps using the same IP, yes, it can be "dangerous", but then, even in this case, all you can know is where this user located, what did this person read and how long, what's his interests.
Maybe one account to read, one to post is the way š§
reply
yes it can be "dangerous", but then even in this case, all you can know is where this user located, what did this person read and how long, what's his interests.
You're onto something there :)
IP addresses are actually quite often not that useful but for some people, their IP address seems to be holy to them even though their ISP provider keeps changing it all the time and their ISP provider is basically already "mixing them" with other users (CGNAT) since we've run out of IPv4 addresses a long time ago.
reply
even though their ISP provider keeps changing it all the time and their ISP provider is basically already "mixing them" with other users (CGNAT) since we've run out of IPv4 addresses a long time ago.
oh I didn't know this š also something interesting I've learnt from a privacy geek friend - creating false trace is often better than trying to hide everything.
reply
false trace is often better than trying to hide everything.
Yes, hiding in the masses is better than to tell everyone that you have something to hide :)
reply
oh I didn't know this
so many ideas for blog posts, so little time, lol :)
edit: but somehow, there is always time to reply to people on SN, lol :)
reply
less shitposting, more working:)
ššš ššš š š š
š š š š š š š
š š š š š š š š
šš š š š šš š š
š š š šš š š
š ššš š š š
reply
btw, you can use ``` to not mess up your spaces :)
šš šš š š š š š š š š š š š š š š š š š šš š š š š š š šš šššš
Ok, now I am really gone for at least a couple hours :)
deleted by author
reply