I bet the NIP05 address verification can be gamed as well
Turned up the security settings on #Amethyst to 11, and want to point out that nostr:npub1wl89d7yazg500lehg08p45dj2jzhhyqg2erj067458e3wd30djns4zn8lu (as an example) could still snipe an IP address with his banner image if he wanted to, because this app's security implementations are a joke...
#m=image%2Fjpeg&dim=1061x1116&blurhash=%7C13%2BDt%3Fb_3%3Fb9FWBWB4nfQs%3At7M%7BM%7Boft7j%5BayWBofxuM%7BIUWBayWBofayxtxuRjM%7Bj%5Bj%5BWBWBRjt7xuRjM%7Bj%5BWBWBa%7CRj%25MxuWBM%7BRjRjRjWBayWBofRjRjofj%5Bayj%5BWBt7ofWBRjWBj%5BfQj%5BofWBWBRjRjayj%5Bofofof&x=d5da28df6ccc20458c8224ce86cc14c13c1edea9d292fa3ef5995db0cda66aa5
#m=image%2Fjpeg&dim=1075x1131&blurhash=%7CO9%40F%5EbpjYs.oeR%25V%5Bf5Wo%3FKR%24WAsoofWUagf5bGn.WBWAjba%7DfjofjYoeM_jdbHa%23R*ofofaxodISnnogW%3BR*t7oeWCjZD%7DoMt8baWBs%3BWnWXe%3DD%24oJt7bXoeo3WTa%7EahX4oKaebEs%3AaeR*ofaio%7Bj%5DRjj%5Bt7V%40WCofa%24&x=c91dd00e0fcb6527ace6b8e1cb362aed288515e3ab6ae6b32212d5d5dcef89b3
Discussion
I thought this was done by DNS TXT record, but you're right, it accesses a file in the ".well-known" directory on a web server. That's awful!
Here's how I'd do it:
Create a wildcard DNS entry for the file server, with the server configured to accept any subdomain as valid. "*.example.com/.well-known/nostr.json" will always resolve, and the format of the subdomain will inform the server what JSON data to return (though it doesn't actually have to be valid, the point is just to leak an IP, which will happen regardless).
Then just DM people bait messages like "Hey, it's been a while" with a virgin account, and if they look at your profile, you'll have their IP.
If the subdomain string can be used to reference a npub, you'll have an IP/npub pair.
Oh good god, I just read NIP-30. I'm losing my goddamn mind.