Blitz-wallet seems immune to this doxing
GM Nostr
ICYMI: if you have someone’s new Wallet of Satoshi lightning address, you can look up all of their payments on Spark's transaction explorer
1) Request an invoice using the Lightning address
2) Paste the bolt11 invoice into
3) Scroll down to the 'Routing Info' entries, and copy the pubkey with the highest CLTV Expiry Delta
4) Paste that address into https://www.sparkscan.io/?network=mainnet
Alternatively, use this tool that nostr:npub1u8lnhlw5usp3t9vmpz60ejpyt649z33hu82wc2hpv6m5xdqmuxhs46turz made here:
https://github.com/benthecarman/spark-invoice-doxxer
As far as I can tell, this is not a strict requirement for Spark lightning address implementations, so I hope to see this change.
At present, if you give someone your Spark address or node pubkey they *can* access your transaction history.
Nonetheless, really disappointed to see WoS leave the USA only to return with something that has zero privacy.
We can do better.
Discussion
Right. Basically anything that "doesn't" use Spark.
Blitz-wallet is based on Spark, but does not doxing your Spark address from the lightning address or an invoice.
However, WoS and the new Spark-based Breez SDK have this privacy issue.
According to nostr:npub1ey6qdmvzcgcsr883m9nspzz0mm037l26xtardzcskfsvc6gc7jssm9szvp this is not the case. Hoping he can clarify here, because these are critical issues that need to be solved before wider adoption.
The default behavior in the Breez SDK is not to expose the spark address in the bolt11, so you can't do what Evan showed above. However, since spark reuses addresses (currently), you can still apply stuff like timing attacks to discover the underlying address. This should be addressed soon by the spark team (they are switching to a dynamic address model).
If there is any code we have that may help with this, you are welcome to use it, since we don't use Spark.
Blitz does use Spark..