akwizgran
commented
3 months ago Thanks for reporting this @adnm9. The random part of the URL after .onion is meant to stop other apps on the same device from downloading the files directly from OnionShare. I agree that it should be changed each time a new set of files is shared. I'll open a PR for this.
adnm9
The app appears to use the same private key when doing a new upload (the part of the url after .onion stays the same), though it does change the tor address. There doesn't seem to be any benefit to this, and it poses a potential security risk if an old link gets leaked somewhere and has the private key in it. It seems like it would be trivial to have the app delete the private key along with the zip file when it is done sharing. A more complicated solution would be to generate multiple private keys from a master key, but this doesn't seem to provide any benefit. Thanks