Note: bonsai-pay has not undergone a detailed security analysis and may contain other, more serious security flaws. Do not use this application without extensive further security analysis.
Impact
Recipient email addresses of bonsai pay test transactions were recorded on the Ethereum Sepolia blockchain in readable form between the demo application launch on November 9, 2023 and our identification of the issue on November 12, 2023.
There was no impact of this issue that compromised the security of test funds being transacted.
We urge any current or future operators of bonsai-pay software deployments to upgrade to the latest upstream to prevent this information disclosure.
Patches
The RISC Zero operated bonsai pay has been revised to implement a SHA256 hash of the recipient email address as of commit [1d2afd8] and the demo application RISC Zero operates has been subsequently updated.
Workarounds
All adopters who are concerned with the privacy of recipient email addresses should upgrade to [1d2afd8] or later. Users of bonsai-pay third-party applications should verify with payment operators that they are operating an updated version.
Note: bonsai-pay has not undergone a detailed security analysis and may contain other, more serious security flaws. Do not use this application without extensive further security analysis.
Impact
Recipient email addresses of bonsai pay test transactions were recorded on the Ethereum Sepolia blockchain in readable form between the demo application launch on November 9, 2023 and our identification of the issue on November 12, 2023.
There was no impact of this issue that compromised the security of test funds being transacted.
We urge any current or future operators of bonsai-pay software deployments to upgrade to the latest upstream to prevent this information disclosure.
Patches
The RISC Zero operated bonsai pay has been revised to implement a SHA256 hash of the recipient email address as of commit
[1d2afd8]and the demo application RISC Zero operates has been subsequently updated.Workarounds
All adopters who are concerned with the privacy of recipient email addresses should upgrade to
[1d2afd8]or later. Users of bonsai-pay third-party applications should verify with payment operators that they are operating an updated version.