Coracle accidentally shared private keys with error tracking toolnjump.me/nevent1qqsrz6g5ds3dfht4a6zgdt7k593ujhnrz4njn6mke2fmpwxjc3sgafcpzemhxue69uhhyetvv9ujumn0wd68ytnzv9hxgqg6waehxw309aex2mrp0yh8wetnw3jhymnzw33jucm0d5q3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7q3qjlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3q5afcmh
2611 sats \ 6 comments \ @ek 26 Oct nostr
write
preview
related posts
131 sats \ 3 replies \ @OriginalSize 26 Oct
Guess Nostr's still at the stage where each user should audit code and network access themselves.
Wonder what the disclosure timeline on this was. Did he just open up the bug tool one day and go wow that's bad or did someone alert him.
The fun part is hodlbod can never prove that he doesn't have all those nsecs so lots of people should be setting up new npubs and deprecating existing ones. Might turn into a sort of proof of alive followers event.
reply
21 sats \ 0 replies \ @ek OP 26 Oct
Wonder what the disclosure timeline on this was. Did he just open up the bug tool one day and go wow that's bad or did someone alert him.
Second sentence actually 👀
This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.
reply
7 sats \ 1 reply \ @DarthCoin 26 Oct
Read again the note. Is about those users that didn't used an external keys extension signer and directly used nsec to login.
Always use Alby, nos2x or hardware signer to login on nostr clients. Do not use directly plain text nsec. more nostr signers:
Putting your nsec in plain text is like pasting your BTC wallet seed in plain text on a random webpage...
reply
0 sats \ 0 replies \ @OriginalSize 27 Oct
People always say that but it also seems reasonable to expect an app not to send the nsec anywhere. It's not like it was hacked. A signer app may separate concerns but it's still more code to audit.
reply
53 sats \ 0 replies \ @nikotsla 26 Oct
It's a common practice now that you as a developer need "external" tools to know what's is going on in your own program, sad... but true.
reply
47 sats \ 0 replies \ @nym 26 Oct
If I read this correctly. Someone else had the API key also
reply