Oddbean new post about | logout
â–² â–¼
 https://github.com/lnbits/lnurlp/commit/efb2eef32371a2837c0377708d13bff915958f55

it did not in-fact fix zaps. 
â–² â–¼
 Oof reverting to 0.4.0 crashed LNBits 😂 
â–² â–¼
 My man just use your Strike lightning address to receive zaps 😂 
â–² â–¼
 Test zap plz sir. Got 0.4.0 working. 
â–² â–¼
 Zap went through, but no receipt published 
â–² â–¼
 Rage. Thank you. 
â–² â–¼
 oh it looks like that commit is from a newer release. gotta figure out how to manually get this version since it's not in the lnbits extension market yet. 
â–² â–¼
 I’d just wait cause you probably need this too

https://github.com/lnbits/lnurlp/pull/67 
â–² â–¼
 i hope this is pushed to prod soon so i can install this version via linbits. this is going to annoy me something fierce until it's fixed 😟  
â–² â–¼
 Your going to be more than annoyed if you get rugged because of the security vulns that @semisol talked about 😂 
â–² â–¼
 I wish he'd provide a writeup on that or link the existing note because its very possible it was fixed awhile ago 
â–² â–¼
 it’s more their track record; I have only explored a certain portion of their code only 

like 2 years ago, I had to annoy them for months before an SQL injection bug got fixed (it was simple also, they were passing field names from request body directly to the DB)

they also took a month of pestering to fix a bug that allowed draining Eclair nodes… with a hodl invoice (yes, you just wait 30 seconds)

their satsdice plugin had improper access control, meaning invoice keys meant to be receive only could drain wallets 
â–² â–¼
 semi 
â–² â–¼
 still using that insecure software? 😂 
â–² â–¼
 reminds me;  nevermute      .   (*semi*) 
â–² â–¼
 moistly 
â–² â–¼
 maybe this PR will fix the problem https://github.com/lnbits/lnurlp/pull/67