Replying to nitesh

Zaps are broken. There is a vulnerability/bug (depending on how you see it) where you could show off on social media that you zapped someone but you could just pay yourself.

Here’s how to reproduce it:

When you click zap, an invoice is fetched from a URL that looks like this

- https://stacker.news/api/lnurlp/02fbae2cc5/pay?SOMECRAP

- Replace 02fbae2cc5 with your own user ID and fetch the invoice and pay it, so you pay yourself. Check the post you’re trying to Zap, it will get updated saying you zapped them. LOL

https://snort.social/e/note1sxedhg4r6tyjamdtr7txzxda5e24tkfxh9amgxs5cpccw3e0v9vs36vfxq

This is an example post, Only one of my zap is real, 2 more I just paid myself.

#[0] found this out.

Avatar
Carman 2y ago

This is just a problem in stacker.news. They could just enforce that the request has to be to the user's npub

Reply to this note

Please Login to reply.

Discussion

02
nitesh 2y ago

I don’t think it’s just stacker.news issue. I have a feeling so many other services will show up with the same issue.

Avatar
Carman 2y ago

Very easy solvable

02
nitesh 2y ago

How would providers verify pubkey? I don’t understand.

Avatar
techjunkie 2y ago

The nostr pubkey of the user of the target note is in the nostr= part of the lnurl call and also needs to be setup on your stacker account? So it can be verified, no?

Avatar
Fabian 2y ago

Yes stacker.news has the pubkey as part of setup for receiving zaps. Probably a bug on their side, its nothing that can’t be fixed

Avatar
Egge 2y ago

But that’s not a requirement according to NIP57, right?

Avatar
Egge 2y ago

No, as they don’t know it.