on Nostr: silverpill I think so, after fetching an actor it performs webfinger lookup on the ...
silverpill (npub1df0…7gmw) I think so, after fetching an actor it performs webfinger lookup on the same domain, but due to faulty webfinger pipeline rewrite it accepted any arbitrary domain in response. I recall Mastodon had a similar vulnerability.
Published at
2024-06-03 02:19:48Event JSON
{
"id": "9e1715b4d0de70d8e363761f1bd272f859a6755a25e4c44cedfa060543f85561",
"pubkey": "ec9dae9b3dc5951ac7d6cb7070d9c8bcf3998ed72fe4931906e6c7a5ead51ad8",
"created_at": 1717373988,
"kind": 1,
"tags": [
[
"p",
"6a5f35dc281276c30c527e1240ef6bad3ef27bcf92b4fef017dc7f5a5c31e5ec",
"wss://relay.mostr.pub"
],
[
"e",
"273871a0436b8604b3d6fd54d2667e6b35a52e83ae0b45b55b9572e27147937c",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://ryona.agency/objects/1ca0821a-3dfd-4672-aba7-70b9e79b3f11",
"activitypub"
]
],
"content": "nostr:npub1df0nthpgzfmvxrzj0cfypmmt45l0y770j260auqhm3l45hp3uhkqx27gmw I think so, after fetching an actor it performs webfinger lookup on the same domain, but due to faulty webfinger pipeline rewrite it accepted any arbitrary domain in response. I recall Mastodon had a similar vulnerability.",
"sig": "ad00e862ab4009c9652dfe191211d5098256885e0fc0c38efb80217b6662f3439780e9f078bfd5391d0e3a57cf24e79a2d9950ce61ca98d9d9807fc79b3af9d8"
}