anigma is a most definitely a scam. it leaks your privkey on *purpose* and overrides your lightning address
Discussion
If that’s true, then it’s unfortunate that nostr.com is apparently built on Anigma?
If you go to anigma it does show a disclaimer at the top telling you not to use a private key you aren’t comfortable leaking. I’m curious why they would put that disclaimer up there and not just fix the issue.
Looks to be #[10] repository on GitHub. He’s only on 3 relays here so not sure he’ll see this.
The creator quit supporting it after a bunch of security vulnerabilities. It's a shame, but this is voluntarism warts and all. https://twitter.com/super_testnet/status/1604973673836056576
Afaik the creator was not a javascript front end expert.... it was vanilla js in page and a fun experiment. I don't think it was intended as a scam.
All solutions are temporary until we can keep our private keys truly secure instead of having to input them into clients.
More people should checkout NIP-49, encrypted private key import/export. So far the only client I know that implements this is the Gossip client by #[13] Worth checking it out.
It's fairly trivial to fix anigma: escape innerhtml and implement window.nostr, so that it doesn't need to store any private keys. I'm not sure why no one has done it, maybe I'll do it this weekend.
rogue code can still decrypt your dms if the plugin is set to auto-decrypt
#[0]
#[0]
how would it override a lightning address? :|
#[0]
Does anigma only leak if you are attached to it?