Malicious in the sense of surveillance/phishing. So say someone sends you an email with a link pointing to `/notes?relays=wss://bad-relay.com/myemailinbase64`, you click on it and your client auto-signs an AUTH challenge, bingo bongo they have correlated your email/pubkey. Basically an injection attack. As it happens, nostr:nprofile1qqs8hhhhhc3dmrje73squpz255ape7t448w86f7ltqemca7m0p99spgpp4mhxue69uhkummn9ekx7mqprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqythwumn8ghj7enfd36x2u3wdehhxarj9emkjmn9keq8hx pointed out that this is already possible using nprofile/nevent 😬
Really interesting brainstorming by nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn on a possible privacy attack vector on nostr.
Nostr is different and so are the security paradigms, therefore we have to think outside the box to find every possible vulnerability.
No replies yet.
