search

bisq-network / bisq

A decentralized bitcoin exchange network
https://bisq.network
GNU Affero General Public License v3.0
4.74k stars 1.27k forks source link

Banned payment accounts #6137

Open ghost opened 2 years ago

ghost commented 2 years ago

Description

I was using debugger and saw a lot of records in filterManager.getFilter().getBannedPaymentAccounts(). Most of them contains sensitive data like email, username, phone etc. I'm pretty sure I didn't set them manually, so probably they were propagated via P2P network. It seems to be a security issue.

Version

1.8.6

Steps to reproduce

Not reproduceable via UI. Use debugger, stop somewhere where filterManager is available and check filterManager.getFilter().getBannedPaymentAccounts()

Expected behaviour

I'm not sure - propositions:

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically closed because of inactivity. Feel free to reopen it if you think it is still relevant.

pazza83 commented 1 year ago

Hi a user has brought this up again.

@alvasw please can you let me know if a solution is feasible

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

pazza83 commented 10 months ago

Hi @jmacxx is this something you would be able to take on?

github-actions[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 7 months ago

This issue has been automatically closed because of inactivity. Feel free to reopen it if you think it is still relevant.

alvasw commented 2 months ago

We can store the hashes of the banned payment accounts in the filter. The clients can hash their trade partner's payment account and compare it to the list of banned payment accounts.

pazza83 commented 1 month ago

Would be good to do if we intend on keeping Bisq 1 for trading after the move to Bisq 2.

Depending on timescales it might be better to remove the info from Bisq 1, and add the banned payment accounts to Bisq 2 in a way they are hashed?