Nostr Web Client

Seems like clients don’t verify that signatures actually come from that hardcoded key (which they are definitely able to do). Until that is done clients are still vulnerable to a coordinator tagging attack.

Hanshan 6mo ago

have you also verified about the signatures

or are you just taking floppy's word for it?

Reply to this note

Please Login to reply.

Discussion

Dan Gould 6mo ago

Ya `unblind` is called w/o signature verification. Easy fix http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Terminal/src/commit/0bbed17ea5130bcf2aec5af6d3cc93f54aa9d871/darkjar/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L206-L214

Hanshan 6mo ago

Gotcha

thanks for the link