El Salvador’s proprietary ‘Chivo’ Bitcoin wallet went live earlier this week, but users have already reported bugs in the app’s interface.
While the majority of the bugs reported by users were minor errors when sending Lightning payments, a significant privacy issue was discovered within the app’s code.
The full legal name of the invoice’s creator was included in the lightning invoices generated by Chivo, according to Matt Ahlborg, the head of research at BitRefill. This posed a serious risk to the security of other personal data stored within the app and alarmed many of the wallet’s Twitter users.
The lightning invoices generated by Chivo contain the full legal name of the creator of the invoice. This to me seems like a privacy issue that should be dealt with. pic.twitter.com/3z39s7NoCO— Matt Ahlborg (@MattAhlborg) September 7, 2021
The Chivo development team works quickly to resolve a potentially harmful privacy issue.
The potentially harmful privacy issue, on the other hand, appears to have been resolved in less than 24 hours after being reported on Twitter.
According to Ahlborg, accessing the app’s core code no longer reveals the issue, indicating that it has been resolved.
Yesterday I tweeted about a #ChivoWallet privacy issue where the users’ full legal name was being leaked in the LN invoice metadata. It appears to be fixed, and what’s in its place is “Thanks Matt Ahlborg”, which I guess is to show that they saw my tweet.https://t.co/TF0zOy3aYS pic.twitter.com/06AeDTQrPD— Matt Ahlborg (@MattAhlborg) September 8, 2021
The ‘Chivo’ app now displays the time of the transaction and a message saying “Thanks Matt Ahlborg” for invoices sent over the Lightning network. This was confirmed by dozens of other Twitter users, all of whom contacted Ahlborg and stated that the message appeared in their receipts.
Ahlborg believes this was a way for the wallet’s development team to acknowledge the problem and demonstrate that it was quickly resolved.
While many believe this demonstrates El Salvador’s commitment to providing the best payment infrastructure possible, locals have reported significant difficulties when using Chivo. According to a Local10 report, Chivo servers have been collapsing since the wallet’s launch as over a million people attempted to download the app.
El Salvador’s President, Nayib Bukele, addressed the issue on Twitter, urging citizens to “take it slow” because the country was releasing the app in stages to avoid overloading the servers.
Vamos a ir despacio.@GooglePlay es la tienda más usada en El Salvador, por lo que la abriremos por partes y así no saturar los servidores.@chivowallet ya está disponible en @GooglePlay, pero únicamente para todas las versiones del Samsung Galaxy S20 y del Samsung Galaxy S21.— Nayib Bukele 🇸🇻 (@nayibbukele) September 8, 2021
Many people also had problems spending the $30 government bonus, and hundreds of people reported problems with Chivo ATMs when attempting to exchange dollars for BTC.