Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this.
Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :)
/cc @k00b
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a https://securitytxt.org/ can be more helpful, since it is becoming more and more standard.
reply
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
assuming that everybody will read the source code and be aware of that message in the "readme" file,
Are you saying reading source code is the same as reading a README?
Dang. You are totally right and I should have known better. Please accept my apology. Just didn't think about it from that angle but I should have.
reply
No worries, we all learn our lessons at some point :)
reply
Hey! Who's the aggrieved party here anyway? :) I'm curious. Did this same warning appear when it was at the 500k and 1 mil level?
reply
198 sats \ 1 reply \ @ek 17 Dec 2023
Yes. This kind of error message existed since Aug 30, 2022 according to our commit history. But no one has seemed to notice so far.
But you're right.
We also learned a lesson, I guess, haha :)
reply
I know I never so it until yesterday. Probably because balance threshold was higher
reply
deleted by author
reply
shouldn't responsible @kepford delete his original message?
I think it's not as severe; especially because there is no proof of exploit so someone would have to write code first to really efficiently leak user balances. I tried to do this myself to see the impact and I noticed it's not as easy for reasons I don't want to irresponsibly disclose here, lol
or is it all too late and the pressure is on to fix this in the background?
reply
I didn't even think it was a bug let alone a serious one. LOL.
If the limit were higher though it would have more impact.
reply
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
reply
Haha, it's okay, it happens :) You can review the "fix" if you want though
reply
deleted by author
reply
LOL. Been waiting for that one.
deleted by author
reply
šŸ‘€
reply
The funny thing is:
This is (one of) the first real vuln we have and it was disclosed publicly.
There were some people who thought they found something serious and did a responsible disclosure.
But all of them didn't do enough DD and just assumed it's a vuln and immediately contacted us, probably feeling FOMO because they might receive a huge bounty if they are the first to report, lol
Most funny was the guy who leaked his own IP address and then started to think he is now able to find out the IP address of everyone on SN with the same method, lol
deleted by author
reply
Mhh, we should at least consider changing it.