LNURL withdraw bug: HTTP vs. HTTPS

[chill117]

Hello and thank you for putting your energy and time toward creating a user-friendly Bitcoin Lightning wallet. I have heard good things about the app but I hadn't used it or tested it much until recently.

During my recent testing, I may have discovered an issue with Muun's handling of LNURL withdraw QR codes. Muun is able to read the QR code, it successfully decodes the LNURL-encoded URL, but it fails just before attempting the HTTPS request. I see in my server logs that no request was received - not by the local web server or the ngrok proxy. Muun shows the following error message:

The service that created the LNURL code is unavailable. Please, try again later.

When I change the URL to HTTP it works. But it is also necessary to change the "callback" property of the initial LNURL withdraw response object to HTTP - otherwise Muun fails at the second step.

The LNURL spec says that only HTTPS URLs should be allowed - unless it is a TOR onion URL:

LNURL is acceptable in two forms: either an https:// clearnet link (no self-signed certificates allowed) or an http:// v2/v3 onion link.

See lud-01

The reasoning to disallow HTTP is to prevent a malicious MITM from stealing funds that are available to anyone who has the LNURL withdraw URL. It's ok to allow HTTP for TOR onion URLs because TOR clients do their own encryption.

Muun version 49.10

Thanks again for your work on Muun! Please let me know if you need anymore info from me.

[champo]

Hi! Thanks for the report. This is a bit strange, we require url to be HTTPS and fail if they are HTTP.

A few questions to clarify

1. Did you download Muun from the playstore?
2. Is the URL TOR? We don't support TOR right now
3. Can you share the url with us for testing? If this is sensitive, you can reach out to me directly via champo at muun dot com

[chill117]

Hi! Thanks for the report. This is a bit strange, we require url to be HTTPS and fail if they are HTTP.

A few questions to clarify

1. Did you download Muun from the playstore?
2. Is the URL TOR? We don't support TOR right now
3. Can you share the url with us for testing? If this is sensitive, you can reach out to me directly via champo at muun dot com

1. Yes, I installed the Muun app from the PlayStore - Muun version 49.10
2. No, the LNURL is a clearnet HTTPS URL.
3. Here's a fresh LNURL for 0.10 EUR:

• LNURL1DP68GURN8GHJ7VTPXSCZ6D3K95URZTF38Q6Z6VF49EJH2TNWVAEX76EWD9HJ7AFLVC75242JYE5KG0TEFCM5YA63FDRHGARRY5E5GFNW85URZV3SXSMNGWPHYECXG0FXWPHR6VPWXYCZVURC85CZUVFSYEEN6VEKV3JRQD3KVGER2ENXVYMNZENZXCCXVVFEXUCXYV3EXUCRSVEJX5CNVWTYVG6RSVMXVYERGD3SXY6NWDESXF3XXVTXX43NYE33XF3JVAPAWU3ZGWQM
• Decoded URL = https://1a40-66-81-184-15.eu.ngrok.io/u?f=EUR&id=yN7BwQKGttc%3D&n=812047487&pd=&pn=0.10&px=0.10&s=36dd066b25ffa71fb60f1970b29708325169db483fa2460157702bc1f5c2f12c&t=w
• This resolves to a web server on my local machine so the above link will stop working as soon as I close the ngrok tunnel or kill the local web server.

The problem could be related to how old the Android OS is on the phone that I used for testing - Android 6.0.

---

I have done some additional testing, this time with Muun installed on an iPhone. The whole flow worked as expected. So it looks like it's just an issue with Muun on Android.