Do you have any protection for web apps asking users to sign event ids? I could see this being misused to get users to sign events without them being able to see what they are signing