Oddbean new post about | logout
Bashee Von Newmann | 23 days ago (raw) | full thread 
 Because it is even worse than that, or at least that's how I understand it. The Whirlpool client uses a session ID for all requests and the server attachs that session ID to all websockets in order to identify them. The server even logs all that info.


```
> grep log **/*.java | grep username
main/java/com/samourai/whirlpool/server/controllers/websocket/SubscribePoolController.java:      log.trace("(<) [" + username + "] " + headers.getDestination());
main/java/com/samourai/whirlpool/server/services/WebSocketService.java:    log.warn("(>) " + username + " sendPrivateError: " + message);
main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java:      log.trace("(<) " + username + " connect");
main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java:      log.trace("(<) " + username + ": disconnect");
main/java/com/samourai/whirlpool/server/services/MixService.java:      log.warn("Rejecting already revealed username: " + username);
main/java/com/samourai/whirlpool/server/services/MixService.java:    log.info("[" + mixId + "] " + username + " revealed output");
main/java/com/samourai/whirlpool/server/services/MixService.java:    log.info("[" + mixId + "]  " + username + " registered signature");
main/java/com/samourai/whirlpool/server/services/PoolService.java:        log.info("[" + pool.getPoolId() + "] " + username + " removed 1 liquidity from pool");
main/java/com/samourai/whirlpool/server/services/PoolService.java:        log.info("[" + pool.getPoolId() + "] " + username + " removed 1 mustMix from pool");
main/java/com/samourai/whirlpool/server/controllers/websocket/ConfirmInputController.java:      log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/beans/Mix.java:      log.info("[" + mixId + "] " + username + " unregistered from confirming inputs");
main/java/com/samourai/whirlpool/server/controllers/websocket/RevealOutputController.java:      log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/controllers/websocket/SigningController.java:      log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java:      log.debug("(<) " + username + " subscribe");
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java:      log.debug("(<) " + username + " connect");
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java:      log.debug("(<) " + username + " disconnect");
```

```
> grep log **/*.java | grep "ip="
main/java/com/samourai/whirlpool/server/services/RegisterInputService.java:      log.warn("Rejecting banned UTXO: [" + banTO.get() + "], ip=" + ip);

```