fishcake on Nostr: I think the main problem lies (and I am speculating here since I just woke up and ...
I think the main problem lies (and I am speculating here since I just woke up and didn’t check the nips yet) in how the event is signed and verified. I think it allowed attacker (somewhat good one in this case) to manipulate the type of the event and potentially some tags. This means that they could have taken any events that are stored on relay and change what they could without breaking signature. Then, any thing like spam reports, emotions, ets, could be converted into DM, or normal note. It’s possible some other method was used but that’s the best I could imagine in my sleep without checking how actuality is. 🐶🐾🫡
Published at
2023-06-17 21:17:17Event JSON
{
"id": "f800dd37bd381a70c82aae5a967d3e5897cc204916c21b75e37954a16c925383",
"pubkey": "8fb140b4e8ddef97ce4b821d247278a1a4353362623f64021484b372f948000c",
"created_at": 1687036637,
"kind": 1,
"tags": [
[
"e",
"8699d7f30fc854e8194538c30e7db78a059b7c8e6e9e08a45b9fd6312f2cfb6d",
""
],
[
"e",
"e3b47b5401fcdc75f6be3b1f6c476448d1a58dab51d19844e790ca0979a3c40c"
],
[
"p",
"eeadea6cbb5018a190f0117857de513cc271d24c947d56cd82c54a6b64ae47a4"
],
[
"p",
"40dba08627a2f2c69c3031666149b567168f049894aa5c42203a3920a3de8483"
]
],
"content": "I think the main problem lies (and I am speculating here since I just woke up and didn’t check the nips yet) in how the event is signed and verified. I think it allowed attacker (somewhat good one in this case) to manipulate the type of the event and potentially some tags. This means that they could have taken any events that are stored on relay and change what they could without breaking signature. Then, any thing like spam reports, emotions, ets, could be converted into DM, or normal note. It’s possible some other method was used but that’s the best I could imagine in my sleep without checking how actuality is. 🐶🐾🫡",
"sig": "19819750e23741e781192c8dd91bfe80681dea37404a621df4d9d062532305dd0a6ffdb9ae4dbcc64b739eeb72244c49b349368f3472c7f07498f15a1c8a5013"
}
