Thread - Nostr Hypermedia

EVAN KALOUDIS evan@zeusln.com 2 months ago

GM Nostr ICYMI: if you have someone’s new Wallet of Satoshi lightning address, you can look up all of their payments on Spark's transaction explorer 1) Request an invoice using the Lightning address 2) Paste the bolt11 invoice into

Lightning Decoder

Decode Lightning Network Requests - BOLT11, LNURL, and Lightning Address

Lightning Decoder is a tool for decoding Lightning Network request codes - BOLT11s, LNURL codes, and Lightning Addresses are supported.

3) Scroll down to the 'Routing Info' entries, and copy the pubkey with the highest CLTV Expiry Delta 4) Paste that address into

Sparkscan

Explore Spark balances, tokens, and transactions.

Alternatively, use this tool that @npub1u8ln...turz made here:

GitHub

GitHub - benthecarman/spark-invoice-doxxer

Contribute to benthecarman/spark-invoice-doxxer development by creating an account on GitHub.

As far as I can tell, this is not a strict requirement for Spark lightning address implementations, so I hope to see this change. At present, if you give someone your Spark address or node pubkey they *can* access your transaction history. Nonetheless, really disappointed to see WoS leave the USA only to return with something that has zero privacy. We can do better.

Replies (22)

Rosetta Cypher 2 months ago

Really appreciate you shedding light on privacy issues like this. Keep up the great work!

1 replies ↓

ChadF and 33 others chadf@nostrplebs.com 2 months ago

Never used it and don't care to. Node, Zeus and AlbuHub is all I need.

🟠 isolabellart isolabellart@isolabellart.it.com 2 months ago

Blitz-wallet seems immune to this doxing

🟠 isolabellart isolabellart@isolabellart.it.com 2 months ago

I pointed this out to the WoS developers when it was still in beta and they never fixed it.

1 replies ↓

EVAN KALOUDIS evan@zeusln.com 2 months ago

Illuminating. Thanks for sharing

Bfgreen _@briangreen.net 2 months ago

best zap comment ever! 👌

Adam Simecka 2 months ago

This is really bad.

Adam Simecka 2 months ago

Right. Basically anything that "doesn't" use Spark.

2 replies ↓

🟠 isolabellart isolabellart@isolabellart.it.com 2 months ago

Blitz-wallet is based on Spark, but does not doxing your Spark address from the lightning address or an invoice. However, WoS and the new Spark-based Breez SDK have this privacy issue.

1 replies ↓

BBNBTC bbntcd88@iris.to 2 months ago

GM 🤙

CptKook 2 months ago

It was probably a condition of their safe return. Sell out game retarded

The Daniel 🖖 daniel@nodestrich.com 2 months ago

Would be great to summarize your conversation with @Roy on Xitter in this thread. My understanding is @Breez ⚡️ has managed to solve these privacy leaks in ways that @Wallet of Satoshi hasn’t.

The Daniel 🖖 daniel@nodestrich.com 2 months ago

According to @Roy this is not the case. Hoping he can clarify here, because these are critical issues that need to be solved before wider adoption.

The Daniel 🖖 daniel@nodestrich.com 2 months ago

I emailed them too (also spoke to Aaron) and was told that they had left the Spark address exposed in the public .well-known/lnurlp string for testing purposes and it was only removed right before the public release. He didn’t follow up when I tried to dig deeper on the invoice question.

Roy roy@primal.net 2 months ago

The default behavior in the Breez SDK is not to expose the spark address in the bolt11, so you can't do what Evan showed above. However, since spark reuses addresses (currently), you can still apply stuff like timing attacks to discover the underlying address. This should be addressed soon by the spark team (they are switching to a dynamic address model).

Adam Simecka 2 months ago

If there is any code we have that may help with this, you are welcome to use it, since we don't use Spark.