41 sats \ 1 reply \ @super_testnet 22 Dec 2022 \ parent \ on: 6 basic things about Nostr nostr
Using alby helps but is still extremely bad on web clients like anigma and nostr.com. For example, even if you use alby to hide your private keys, attackers can still (1) decrypt and siphon the contents of all your dms (2) steal any money you have on the anigma wallet (3) impersonate you.
This is all because alby auto-signs messages on your behalf. Attackers who want your private data -- even if you use alby -- can use the cross-site scripting vulnerability of anigma and nostr.com to create messages containing all your private data (except your private key itself), ask Alby to sign it, wait for the auto-signature Alby gives, and then send those messages to themselves, thus stealing all of your private data except your private key.
So still don't use anigma without awareness that it's just a toy example, a proof of concept. People see everything you type into it and they can take any money you have on it. When I wrote it I did not know how cross-site scripting vulnerabilities worked. Eventually I hope to rewrite it with vulnerability avoidance top of mind.
This is one detailed explanation! All the best in building!
reply