Replying to Avatar YEGHRO

!! WordPress #Nostr Login Plugin Update !!

Good news YEGHRO #Nostr plugin for #WordPress is now more secure.

We've added NIP98 authentication to the login process making even better.

Update now to version 1.6 and enjoy more peace of mind.

Big thanks to nostr:nprofile1qyx8wumn8ghj7cnjvghxjmcpz4mhxue69uhk2er9dchxummnw3ezumrpdejqzrthwden5te0dehhxtnvdakqz8thwden5te0dehhxarj94c82c3wwajkcmr0wfjx2u3wdejhgqg6waehxw309ahx7um5wghx7unpdenk2urfd3kzuer9wcq36amnwvaz7tm0vf5h2un8v96x7u3ww35x2amgv9kxctnrdakszynhwden5te0wp6hyurvv4cxzeewv4esz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcpzemhxue69uhhyetvv9ujumn0wd68ytnzv9hxgqgkwaehxw309aex2mrp0yh8qunfd4skctnwv46qzgnhwden5te0wfjkccte9eex2enfdejhy7fwvdhhyctrd3jjuar0dak8xqgcwaehxw309aex2mrp0yh8xmn0wf6zuum0vd5kzmqqyr8vpazdp4jddkwh58yycvc023n7w5kv3vr97uswsa9qhmgu2stdygsq7mx for his contribution to this update. Give the man a follow and a thanks.

https://wordpress.org/plugins/nostr-login/

Avatar
Rob Woodgate 1y ago

Appreciate the shout out nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqg6waehxw309ahx7um5wfjkccte9euk2emgwfhjucm0d5q3yamnwvaz7tmsw4e8qmr9wpskwtn9wvq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qghwaehxw309aex2mrp0yhxvmm4de6xz6tw9enx6qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsqzp7ppz7dat453ccd5x43nvwy2mtwresfsfay7wudg0sudulk5l5pzr0eztk . However, your latest official v1.6 is once again HIGHLY INSECURE, as it completely bypasses the security I added to the backend.

The secure NIP-98 version of your plugin is v1.5, which I've posted as a package on my GitHub::

https://github.com/robwoodgate/YEGHRO_NostrLogin/releases/tag/v1.5

Note, since the PR I made to your repository, I've added a check for the required PHP extension... it should now fail gracefully if not enabled.

I'd recommend rolling back to my version asap

Reply to this note

Please Login to reply.

Discussion

Avatar
YEGHRO 1y ago

Oh no I thought I followed nip98 specs.

Avatar
Rob Woodgate 1y ago

Your new Nostr_Event class looks like it follows NIP-98, but:

a) haven't actually used it (it's not called anywhere in the code) and

b) your class doesn't implement the signature check, so it's simple to send a fake one.

You can't really avoid the cryptography in the back end. Without a signature check, you can't be sure the event isn't faked.