Data leakage when funding Bisq #1559
Comments
|
No that is not done with the payment protocol but the Bitcoin URI can contain a message, so it is just part of the QR code and only shared between Bisq and the scanning wallet. |
|
Ok - and using a QR code, that is not via the IP network. Good... BUT - I would rather not have any description stored in my phone. Phones are insecure and subject to seizure/theft. Copy/paste does not work from a desktop (Bisq) to a phone. Only on the same device, I have found a weird different solution.. Install Electrum and restore the Mycellium seed. Then you have a wallet that exists as a dual view. One on the phone, the other on the desktop - but just one wallet. |
|
You should be able on the phone to edit/delete the label text. |
When you scan the QR code to fund your Bisq wallet, using the defaults, it sets a description of "Fund Bisq wallet"... or at least it does when you send from Mycellium.
Presumably this is done using the payment protocol, but it leaks information. That payment protocol transfer is clear text. Easily intercepted on the network. Correlation of metadata then lets an attacker know that you are using Bisq, and how much your wallet is funded by. If it is a big amount, you become a target.
I suggest that using the payment protocol becomes optional. Just a QR code of the receiving address should be the default setting.
The text was updated successfully, but these errors were encountered: