Nostr Web Client

Replying to Mysterious Hamster

We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.

We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.

I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.

We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.

Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.

This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.

nostr:nevent1qvzqqqqqqypzpggzvz325tcf9kz79s9c9627430ccc82r8rgujycwxd43n92y037qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyrdx8njpnvvulfcsqqd7ud47uw6dnzl4a3fmsrafsp0rte9f29h5uxpgg73

Anhern Sarsalor [IQ: 102] 7mo ago

Sorry guys. This kind of failure is unacceptable. This is why users need to have self custodial user friendly wallets. This is what always happens when you rely on a third party for your wallet, and that third party has any control whatsoever.

Coinos themselves are at fault for this issue, but only in so far that this will happen to every single custodian, at one point or another. They made some bad security decisions, but that's unimportant. They could have done everything correctly and eventually something would have happened anyway.

This is why self custody is necessary. Mistakes happen, most of the time the custodian is not evil or malicious, it's the very ability to have control over another's funds or data that is the problem, almost never who the controller is.

What coinos did right is the user friendlyness. I liked coinos, it works, the ui is clean and simple, and getting setup is incredibly easy. But they took custody of user funds, and that's always a problem in the making.

The wallet integrated in animestr will be entirely self-custodied, and still be as intuitive as coinos (if not more)

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqg658atz

Reply to this note

Please Login to reply.

Discussion

Hikari Harmony 7mo ago

Well then ... Which NWC should I use? Please share .. I'm non technical user

Anhern Sarsalor [IQ: 102] 7mo ago

I really don't know of any good ones that aren't custodial, which is part of the reason why I'm going to build one