I was giving for granted that it behave that way, then today I made an integration test over my signup API to see taht it would fail under an "attack" with a modified event.
The test failed and I got scared so I did dig deeper and wrote that test.
The whole library assembles in the "finalized event" both the original event and the sig/pub/hash properties. So when you call verifyEvent it uses the hashes that one pass as "id" rather than recalculate the hash from scratch from the original event properties.
I am no security expert but that look *very* bad to me.
ildella / Daniele
npub1nc…4r8ar
2024-02-29 00:26:24
in reply to nevent1q…jv6v
Author Public Key
npub1ncdaqhk5rea29hdpaxmyhzay3d5mkrattg3dgs4yjkcml99fkqcqz4r8arPublished at
2024-02-29 00:26:24Event JSON
{
"id": "52f883e40743754132b287e1cc61e3367e6c12c49e0b20aa4b40802f828e98f2",
"pubkey": "9e1bd05ed41e7aa2dda1e9b64b8ba48b69bb0fab5a22d442a495b1bf94a9b030",
"created_at": 1709162784,
"kind": 1,
"tags": [
[
"e",
"73774221928a6b0ffb722e302a9b14f1b9a886c0303ea60530417789198f27aa",
"wss://relay.damus.io/",
"root"
],
[
"e",
"2d51c16a7764cd538b0af193850a5626be67afd433d290cdf90b15152917eab0",
"wss://nos.lol/",
"reply"
],
[
"p",
"3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
],
[
"p",
"79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6"
]
],
"content": "I was giving for granted that it behave that way, then today I made an integration test over my signup API to see taht it would fail under an \"attack\" with a modified event. \n\nThe test failed and I got scared so I did dig deeper and wrote that test. \n\nThe whole library assembles in the \"finalized event\" both the original event and the sig/pub/hash properties. So when you call verifyEvent it uses the hashes that one pass as \"id\" rather than recalculate the hash from scratch from the original event properties. \n\nI am no security expert but that look *very* bad to me. ",
"sig": "dbcace604a4a2886d38cd486b5e9408f70aed6696af0eb112d43e768f550b346ec980f238921ae8696875ed4079e3d6e6019610335ca0e281da9fd0d0a1a3c6d"
}