Oddbean new post about | logout
Jacob | Five Eye Tea | 2 months ago (raw) | root | parent | reply | flag 
 I'm new and a bit of a security geek, can you explain how the private key can be leaked?
Vitor Pamplona | 2 months ago (raw) | root | parent | reply | flag +1 
 Desktop keyloggers are the easiest way. Just monitor for the clipboard and if people copy their keys into memory to insert into an extension or a native app, send it to the attacker.
SwBratcher | 2 months ago (raw) | root | parent | reply | flag 
 In your post, you said “unless you monitor your posts very closely”… is there a daily use from an app like Primal where this leak can occur? Or is this an attack vector risk from outside nostr?
Jacob | Five Eye Tea | 2 months ago (raw) | root | parent | reply | flag 
 My guess is that if you link to an untrustworthy Nostr app/PWA, that could be a problem as well. It's why I wish browser extensions like Flamingo would add PIN locks to them. In theory, any site could access your private key because the extension isn't locked.
SwBratcher | 2 months ago (raw) | root | parent | reply | flag 
 Good call. I’ll have to avoid just hooking into any and all app on a whim. So, no nsec promiscuity. Got it.
Jacob | Five Eye Tea | 2 months ago (raw) | root | parent | reply | flag 
 Gotcha, but that can also happen with any social media. I guess the immutability of the private key and lack of 2FA is particularly a problem in that case though.