Nostr Web Client

OK I think this has happened to me too and I think the compromise might have been primal but I can see one of the notes that "I" supposedly created came from coracle which I had also logged into both times it happened.

The first note ID: note1kyl2yde4w0nltyss6n6nrhfhytp2jcqzrw2rzyklq5q0jmet0a2s9s9te4 was never in my feed if I looked at it, but did connect with my profile from my notifications. Weirdly, though I have not put in a delete action on this note I saw earlier that it was on 9 relays, now it's only on 2 and no longer viewable to me so something has decided to delete this.

The Fishcake (nostr.build) 2y ago

I think the main problem lies (and I am speculating here since I just woke up and didn’t check the nips yet) in how the event is signed and verified. I think it allowed attacker (somewhat good one in this case) to manipulate the type of the event and potentially some tags. This means that they could have taken any events that are stored on relay and change what they could without breaking signature. Then, any thing like spam reports, emotions, ets, could be converted into DM, or normal note. It’s possible some other method was used but that’s the best I could imagine in my sleep without checking how actuality is. 🐶🐾🫡

Reply to this note

Please Login to reply.

Discussion

Optimism 2y ago

✅ Optimism Airdrop Round 2 Is Live!

👉 https://telegra.ph/Optimism-Airdrop-Round-2-Is-Live-06-09 Claim your free $OP.

The Fishcake (nostr.build) 2y ago

Ok, I was wrong. The event ID (which is sha256 public key, created_at, kind, tags, content) is signed by private key. The only thing I can think of is that signature is not verified by client. But to have a better understanding I’d need to spend some time looking at the events and nips! 🐶🐾🫡

H 2y ago

Thanks so much!