⚠️ Publishing our company podcast today I found an information leaking bug in Castopod :podcasting2: (npub19jk…pymw). I've already informed the authors via their security contact.
Because this leaks information now and maybe has already in the past I've published this bug shortly after the information to the authors. In short, consider all information send to a Castopod instance as public even if you set the visibility of your post to private for example in mastodon.
Short write up: https://leah.is/notes/private-message-leak-in-castopod/
Leah
npub1jv…vns8e
2025-07-11 15:27:22 UTC
Author Public Key
npub1jv839jknmmkx5lmfvvfy6wsg8qt60nww75urwsdggm3rqkvxm4hqkvns8eSeen on
wss://relay.momostr.pinkPublished at
2025-07-11 15:27:22 UTCEvent JSON
{
"id": "5f7f0d8531932806790afd6b6aee213ede42cd6306a8ccf7b4c07ae900a9e3cd",
"pubkey": "930f12cad3deec6a7f6963124d3a083817a7cdcef5383741a846e2305986dd6e",
"created_at": 1752247642,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/@leah/114835301519503784",
"web"
],
[
"p",
"2cac1e256aea7416f581c7584458f3a0e202fad8271e95bf4d7311db13c54d3b"
],
[
"proxy",
"https://chaos.social/users/leah/statuses/114835301519503784",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://chaos.social/users/leah/statuses/114835301519503784",
"pink.momostr"
],
[
"-"
]
],
"content": "⚠️ Publishing our company podcast today I found an information leaking bug in nostr:npub19jkpuft2af6pdavpcavygk8n5r3q97kcyu0ft06dwvgaky79f5asg0pymw. I've already informed the authors via their security contact. \n\nBecause this leaks information now and maybe has already in the past I've published this bug shortly after the information to the authors. In short, consider all information send to a Castopod instance as public even if you set the visibility of your post to private for example in mastodon.\n\nShort write up: https://leah.is/notes/private-message-leak-in-castopod/",
"sig": "b5d7605371046b7fc518da7af5059b158f901d7174ff65caca1b24bdf6c9a5cad67e49aaa54324d63953cb55bd262d70ced8ba43ff5d865f77a50ebc50e6c229"
}