**What the fuck is going on with Derek's private key - A recap**
TL;DR - This is long so I wrote a short summary at the top in hopes to help new Nostriches and noob Nostriches alike. Please share. Thanks.
1) Read what events you are signing with your private key. Do not just authorize the event because you initiated it. The client may be doing something that you are not expecting.
2) Do not allow websites to use your signing extension forever. You don’t know what they’re doing in the background.
3) Maybe don’t use Nostr.com as it will overwrite your LUD06 Lighting address on your profile.
—
Yesterday, one of my followers DMed me, saying that they bought me some drinks for my upcoming trip to Costa Rica! Awesome! I checked my Lighting node and I saw that 50 sats came in an hour ago. That didn’t seem right to me, so I asked some questions. We ended up determining that they sent sats to the wrong Lightning invoice address somehow. I noticed that my profile on Astral.ninja and metadata.nostr.com both had an incorrect LUD06 LNURL address. It was an LNBits address. I do not use LNBits. Something was definitely wrong.
I had been careful with my private key, at least I thought. After my first day on Nostr, I started using the nos2x extension and used it for everything. I didn’t authorize sites “forever” as I wanted to see when they would request read/write data with my keys. I used burner keys when testing various Android clients. I was very confused how this happened. I doubt my private keys were burned. I kept telling myself that this has to be a misbehaving client!
I started tracing my steps back. I had just used a brand new client, Ananostr, yesterday morning. I thought, could this client have done something accidentally? I signed in with nos2x and authorized the transactions as normal. The developer was super helpful here. He offered to take down his site and retrace his tool set that he used, to make sure nothing fishy was being utilized in his application. Thank you for your help <3
Today, using the nostr.band search tool, I saw that I had numerous events from January 16th to January 27th that updated my profile and changed my LUD06 address to a different LNURL. Something or someone was changing my Lightning tips address on my profile and I had no clue what was doing it.
I started looking at my Nostr post history and file download history. I had first tried Amethyst on January 16th. I had very little doubt in my mind that Amethyst could be causing the issue here, but you honestly just do not know. It’s scary entering your private key into brand new Android applications. Because of this fear, I used Amethyst originally with a burner account. Once I felt comfortable, I switched to my private key.
**After talking with numerous developers and plenty of Nostriches, I believe I have figured out what has been happening with my profile metadata and specifically, my Lighting LUD06 address. I also believe several mistakes were made on my part.**
About 10 days ago or so, I visited nostr.com and signed in with nos2x. I authorized the transactions and played around with the site for 10 minutes. I saw at the bottom that the site was built on Anigma. That freaked me out because Anigma was a site that was vulnerable to XSS attacks around December 20th. I immediately went into my local storage and nuked the storage for that site, deleted cookies and did not return to that site again.
Apparently, nostr.com automatically sets your LUD06 Lightning LNURL to an automatically generated lnbits.com Lighting wallet for you when you sign into this client. I did not know this. This overwrites any existing Lighting configuration on your profile.
**My first mistake was not reading the kind 0 event that popped up by nos2x**. I never read them. I always felt that if I was the one that clicked a button and generated the event, then it was safe to authorize it. If I had taken the time to read what was actually happening, then I would have seen that this client was making changes to my profile!
**My second mistake was then keeping nostr.com as an authorized forever entity inside the options of nos2x**. I remember adding it as authorize forever, because it kept popping up and annoying the fuck out of me and I wanted to get it off of my screen so that I could check out the client. I should have 1) not done this and 2) removed it after I cleared local storage for nostr.com.
One thing I do not understand though. How was this able to continue to happen over the last 10 days? Are relays just that slow to process events? Were these events re-broadcasted to new relays and that’s why this kept happening? If that’s the case, could someone go and re-broadcast an older profile metadata change event and change my LUD06 address back to this unwanted address?
I truly believe this is what happened and my private key is safe, I just do not understand how it continued after I stopped using that client. For now, I’m not abandoning this key pair. I think this is a large lesson for all of us.
A super special thank you to monlovesmango (npub13sx…aapa) and Kieran (npub1v0l…qj49) <3
THANK YOU FOR HELPING ME FIGURE THIS OUT!
Derek Ross
npub18a…tp424
2023-01-28 19:13:42
Author Public Key
npub18ams6ewn5aj2n3wt2qawzglx9mr4nzksxhvrdc4gzrecw7n5tvjqctp424Published at
2023-01-28 19:13:42Event JSON
{
"id": "558b1de8ad36ddcd3389132bef45f4fb7f13cbb1884d00a4a3ca3785e248d65e",
"pubkey": "3f770d65d3a764a9c5cb503ae123e62ec7598ad035d836e2a810f3877a745b24",
"created_at": 1674929622,
"kind": 1,
"tags": [
[
"p",
"8c0da4862130283ff9e67d889df264177a508974e2feb96de139804ea66d6168"
],
[
"p",
"63fe6318dc58583cfe16810f86dd09e18bfd76aabc24a0081ce2856f330504ed"
]
],
"content": "**What the fuck is going on with Derek's private key - A recap**\n\nTL;DR - This is long so I wrote a short summary at the top in hopes to help new Nostriches and noob Nostriches alike. Please share. Thanks.\n\n1) Read what events you are signing with your private key. Do not just authorize the event because you initiated it. The client may be doing something that you are not expecting.\n2) Do not allow websites to use your signing extension forever. You don’t know what they’re doing in the background.\n3) Maybe don’t use Nostr.com as it will overwrite your LUD06 Lighting address on your profile.\n—\n\nYesterday, one of my followers DMed me, saying that they bought me some drinks for my upcoming trip to Costa Rica! Awesome! I checked my Lighting node and I saw that 50 sats came in an hour ago. That didn’t seem right to me, so I asked some questions. We ended up determining that they sent sats to the wrong Lightning invoice address somehow. I noticed that my profile on Astral.ninja and metadata.nostr.com both had an incorrect LUD06 LNURL address. It was an LNBits address. I do not use LNBits. Something was definitely wrong.\n\nI had been careful with my private key, at least I thought. After my first day on Nostr, I started using the nos2x extension and used it for everything. I didn’t authorize sites “forever” as I wanted to see when they would request read/write data with my keys. I used burner keys when testing various Android clients. I was very confused how this happened. I doubt my private keys were burned. I kept telling myself that this has to be a misbehaving client!\n\nI started tracing my steps back. I had just used a brand new client, Ananostr, yesterday morning. I thought, could this client have done something accidentally? I signed in with nos2x and authorized the transactions as normal. The developer was super helpful here. He offered to take down his site and retrace his tool set that he used, to make sure nothing fishy was being utilized in his application. Thank you for your help \u003c3\n\nToday, using the nostr.band search tool, I saw that I had numerous events from January 16th to January 27th that updated my profile and changed my LUD06 address to a different LNURL. Something or someone was changing my Lightning tips address on my profile and I had no clue what was doing it.\n\nI started looking at my Nostr post history and file download history. I had first tried Amethyst on January 16th. I had very little doubt in my mind that Amethyst could be causing the issue here, but you honestly just do not know. It’s scary entering your private key into brand new Android applications. Because of this fear, I used Amethyst originally with a burner account. Once I felt comfortable, I switched to my private key.\n\n**After talking with numerous developers and plenty of Nostriches, I believe I have figured out what has been happening with my profile metadata and specifically, my Lighting LUD06 address. I also believe several mistakes were made on my part.**\n\nAbout 10 days ago or so, I visited nostr.com and signed in with nos2x. I authorized the transactions and played around with the site for 10 minutes. I saw at the bottom that the site was built on Anigma. That freaked me out because Anigma was a site that was vulnerable to XSS attacks around December 20th. I immediately went into my local storage and nuked the storage for that site, deleted cookies and did not return to that site again.\n\nApparently, nostr.com automatically sets your LUD06 Lightning LNURL to an automatically generated lnbits.com Lighting wallet for you when you sign into this client. I did not know this. This overwrites any existing Lighting configuration on your profile.\n\n**My first mistake was not reading the kind 0 event that popped up by nos2x**. I never read them. I always felt that if I was the one that clicked a button and generated the event, then it was safe to authorize it. If I had taken the time to read what was actually happening, then I would have seen that this client was making changes to my profile! \n\n**My second mistake was then keeping nostr.com as an authorized forever entity inside the options of nos2x**. I remember adding it as authorize forever, because it kept popping up and annoying the fuck out of me and I wanted to get it off of my screen so that I could check out the client. I should have 1) not done this and 2) removed it after I cleared local storage for nostr.com. \n\nOne thing I do not understand though. How was this able to continue to happen over the last 10 days? Are relays just that slow to process events? Were these events re-broadcasted to new relays and that’s why this kept happening? If that’s the case, could someone go and re-broadcast an older profile metadata change event and change my LUD06 address back to this unwanted address?\n\nI truly believe this is what happened and my private key is safe, I just do not understand how it continued after I stopped using that client. For now, I’m not abandoning this key pair. I think this is a large lesson for all of us.\n\nA super special thank you to #[0] and #[1] \u003c3\n\nTHANK YOU FOR HELPING ME FIGURE THIS OUT!\n",
"sig": "6fddc42b07d684ecb9bd70a5ee8401d6992decfce5c693bd442eeff2164bece142e6a86363933fbd900e68613a2c7969a7c0e999842b933010e78d56f2461d29"
}