- From: William Casarin <jb55@jb55.com>
- Date: Sat, 8 Jul 2023 22:57:06 -0700
- To: patches@damus.io
- Cc: dev@damus.io, nostr-protocol@googlegroups.com, public-nostr@w3.org, William Casarin <jb55@jb55.com>, Tony Giorgio <tonygiorgio@protonmail.com>, benthecarman <benthecarman@live.com>, Vitor Pamplona <vitor@vitorpamplona.com>, Kieran <kieran@harkin.me>, Jonathan Staab <shtaab@gmail.com>, Mike Dilger <mike@mikedilger.com>
Hey gang, Ben found a note zap forgery bug in damus and I'm just emailing the patches to you guys as a heads up to see if ya'll the same issue. This was the first time someone was able to forge a zap on one of my notes so it was surprising! It came down to the way I determine the "zapper" for a note. The zapper is the authorized zap-note creator. The zap spec expects clients to lookup the nostrPubkey on the lnurl endpoint and make sure that it matches the note that is being zapped. The issue in damus was that it was looking up the zapper based on the first p-tag on the zap note. This is wrong since that can be forged and different from the pubkey of the note being zapped. This allows an attacker to slip a fake zap onto a note, because the zapper that is checked is actually a valid zapper for that ptag, but it's the wrong ptag. Damus now looks up the note in the cache and uses that pubkey instead of whatever is on the note. There's a similar issue with profile zaps which I have a fix for in here as well. Cheers, Will Cc: Tony Giorgio <tonygiorgio@protonmail.com> Cc: benthecarman <benthecarman@live.com> Cc: Vitor Pamplona <vitor@vitorpamplona.com> Cc: Kieran <kieran@harkin.me> Cc: Jonathan Staab <shtaab@gmail.com> Cc: Mike Dilger <mike@mikedilger.com> William Casarin (2): Fix fake note zaps with forged p-tags Prevent forged profile zap attacks damus/Models/HomeModel.swift | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) -- 2.39.2 (Apple Git-143)
Received on Sunday, 9 July 2023 06:14:41 UTC