If an app loads remote content submitted by other users of the app, then attack ...

npub1hxx…g75y

2025-03-21 07:25:11

in reply to nevent1q…vfva

If an app loads remote content submitted by other users of the app, then attack surface for remote code execution vulnerabilities could be there. The most common example is instant messenger apps having zero-click exploits thanks to malicious attachments with payloads that the app automatically parses or loads.

These attacks are highly sophisticated (the ability to be able to do them is sold on bounty sites for millions of dollars) with the amount of targets usually being in the hundreds. It isn't a concern for most people and you are not a significant target.

This also depends on a malicious actor knowing who you are to send an attachment. For the attacks you're talking about, the device is compromised, not the app. All Apps need to be signed by the real developer to be an accepted update on the OS, it would need to have been a phishing app, the signing key of the real app compromised or the developer was intentionally malicious from the beginning.

For your example of attack, it wouldn't really be something typical of what someone would try to do with this, and it would show signs of compromise even if subtle. For example, if you're using a password manager to log into a service, why doesn't it recognize this fake web login page as a real one?

Native Apps look very different to web pages and webviews. With such kind of an attack they have a lot of access in different areas so there's no need

Author Public Key

npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75y

Seen on

wss://nos.lol wss://nostr.mom wss://relay.nostr.band

Show more details

Published at

2025-03-21 07:25:11

Kind type

1 Short Text Note

Event JSON

{ "id": "4da7365b59f1db5ef3d2ada3f9033926425bba803fc7b0c2bf39550f8631c64c", "pubkey": "b98ded4ceaea20790dbcb3c31400692009d34c7f9927c286835a99b7481a5c22", "created_at": 1742541911, "kind": 1, "tags": [ [ "e", "731c390dbfe73604481c1e16cc0f6e9733baa962c4bf4b22ff4c9fbe858fb211", "", "root" ], [ "p", "7ed7d5c3abf06fa1c00f71f879856769f46ac92354c129b3ed5562506927e200" ], [ "p", "67ada8e344532cbf82f0e702472e24c7896e0e1c96235eacbaaa4b8616052171" ] ], "content": "If an app loads remote content submitted by other users of the app, then attack surface for remote code execution vulnerabilities could be there. The most common example is instant messenger apps having zero-click exploits thanks to malicious attachments with payloads that the app automatically parses or loads.\n\nThese attacks are highly sophisticated (the ability to be able to do them is sold on bounty sites for millions of dollars) with the amount of targets usually being in the hundreds. It isn't a concern for most people and you are not a significant target.\n\nThis also depends on a malicious actor knowing who you are to send an attachment. For the attacks you're talking about, the device is compromised, not the app. All Apps need to be signed by the real developer to be an accepted update on the OS, it would need to have been a phishing app, the signing key of the real app compromised or the developer was intentionally malicious from the beginning.\n\nFor your example of attack, it wouldn't really be something typical of what someone would try to do with this, and it would show signs of compromise even if subtle. For example, if you're using a password manager to log into a service, why doesn't it recognize this fake web login page as a real one?\n\nNative Apps look very different to web pages and webviews. With such kind of an attack they have a lot of access in different areas so there's no need", "sig": "2e74708e83a7c5b96b58e7b50c9e31f40f5c092ecae18424af42a0907a6d903f70b86b804144444fefac8f620ce4c120d396edd4d1687ec5204e039127f65e3f" }