Join Nostr
2026-06-11 11:14:38 UTC

dzlandis on Nostr: Your Nostr private nsec key could have been exposed simply by visiting a website. ...

Your Nostr private nsec key could have been exposed simply by visiting a website. 😱

I recently found and privately disclosed a high-impact vulnerability in Flamingo, a Nostr browser extension similar to nos2x and Alby that lets websites request your public key and ask you to sign Nostr events without handing every site your private key.

While reviewing the code, I noticed that Flamingo’s webpage-to-extension message bridge was too permissive. A normal webpage could reach an internal extension method that should only have been available to Flamingo itself, allowing the page to export the stored nsec.

The maintainer responded quickly and shipped a fix in v0.1.1. Page-originated calls are now restricted to the intended public NIP-07 methods, while sensitive extension-only methods are blocked from websites.

If you use Flamingo, make sure you are updated to v0.1.1.

Proud to have helped catch this before it could do real damage, and shoutout to the maintainer for handling the report quickly and cleanly.