Hi all,
I’ve lookeed over hostes PHP libraries on nem.io and found that on of the libraries sends private key.
I belive, it’s not safe and not as it supposed to make - so library at least should be removed from nem official web site:
Bug bounty: NDNRSW-FEQ256-HQLUYT-L6SOS3-RYHEJK-BLOWL2-C6MJ
Looks to be a RequestPrepareAnnounce transaction, which uses trusted nodes to create the signed transaction, ready for broadcast. On the dev docs it does warn that it’s to be used with trusted local nodes only.
Just to clarify the issue:
Some requests do require private key to be sent but it should be done only and if NIS server is running locally: https://nemproject.github.io/#accountPrivateKeyTransactionsPage
In that library requests send private key by default without check if it will be sent to local address or remote. One developer could import that library and start using it without checking the code and may try to use remote public supernodes sending them his private key…
