What is Nostr?
ChipTuner
npub1qdj…fqm7
2024-10-25 17:10:54

ChipTuner on Nostr: MY NSEC WILL NEVER LEAVE THE VAULT https://github.com/vnuge/nvault Users using uBlock ...

MY NSEC WILL NEVER LEAVE THE VAULT
https://github.com/vnuge/nvault

Users using uBlock origin would likely have been protected by default, I know I am. You should always be using blocking tools such as script blocking extensions or DNS blocking to disallow apps from sending YOUR data to 3rd party servers. I encourage other developers to avoid even the slightest possibility that you could be responsible for compromising user's identities.

For web applications I think it's time to deprecate nsec login.

**Security Update**

I've got some bad news for you guys. This morning, as I was adding error handling to flotilla, I discovered that Coracle has been sending user session objects to bugsnag when reporting errors.

Who is affected: Users who triggered an error in Coracle while signed in with their private key, since December 5th 2023.

What I've done:

- I immediately released a new version of Coracle, both to web and to zap.store
- I have deleted the affected apks from my releases
- I have deleted all my error data from bugsnag
- I have deleted my bugsnag project and rotated my api key, so lingering error reports will be dropped
- I have audited my code for use of the session object to ensure nothing else like this is happening

What you should do:

- If you're logged in with your private key, log out
- Hard refresh the page to ensure you have the latest version of Coracle

The bottom line is that if you signed in to Coracle with your private key, it has been shared with me and with bugsnag. In practical terms, your keys should still be secure, since they were sent over TLS, and have been deleted. But there is no guarantee I can offer that they are in fact gone.

I take my users' privacy seriously. My error reporting implementation doesn't record user IPs, it redacts identifying data, and it allows users to opt-out. I also warn the user when they attempt to enter an nsec into a text field. In this case, I simply screwed up, and I sincerely apologize. Reply to this note if you have any questions.

Author Public Key
npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7