Module 03

RISK ASSESSMENT

Documented threats, attack vectors, and mitigation strategies

RISK-01: PHISHING CLONE SITES

SEVERITY: CRITICAL

Documented phishing clone sites impersonate Privnote and intercept note content. The most documented example is privnotes.com, which has been observed modifying cryptocurrency wallet addresses in notes, causing direct financial loss.

Attack vector: Typosquatting / search engine manipulation / malicious links
MITIGATION: Always navigate directly to privnote.com. Bookmark the official site. Verify domain before every use.

RISK-02: LINK INTERCEPTION

SEVERITY: MEDIUM

If the Privnote URL is intercepted before the intended recipient opens it, the interceptor can read the note and the intended recipient will find it destroyed. Links can be intercepted via compromised email, malware, or insecure messaging channels.

Attack vector: Email compromise / clipboard monitoring malware / insecure channels
MITIGATION: Use password protection. Enable notifications to detect unexpected access. Use secure channels for link delivery.

RISK-03: RECIPIENT SCREENSHOT

SEVERITY: MEDIUM

Self-destruction only prevents URL re-use. The recipient can screenshot, copy, or record the note content. Once displayed, information is in the recipient's control.

Attack vector: Recipient action / screen recording software
MITIGATION: Only send Privnotes to trusted recipients. Accept that displayed content may be preserved by the recipient.

RISK-04: ACCIDENTAL SELF-DESTRUCTION

SEVERITY: LOW

Sender accidentally clicks their own note link, destroying it before the recipient can read it. Common user error, especially when verifying the link works.

Attack vector: User error
MITIGATION: Never click your own note link. Test the workflow with dummy notes first. Use the "Select link" button to copy without clicking.

RISK-05: SERVER TRUST

SEVERITY: LOW (EVERYDAY USE)

Users trust that Privnote's JavaScript correctly implements encryption and that the service actually deletes notes. Since Privnote is not open-source, these properties cannot be independently verified.

Attack vector: Malicious JavaScript / server-side data retention
MITIGATION: Acceptable for everyday use. For high-stakes data, use open-source audited alternatives.

RISK-06: URL TRUNCATION

SEVERITY: LOW

Some messaging apps truncate long URLs, removing the # fragment that contains the decryption key. The recipient receives a broken link that cannot decrypt the note.

Attack vector: Messaging app URL handling
MITIGATION: Send links via email when possible. Test link delivery in your chosen channel before sending sensitive notes.