(npub1pnp…52zw) grumbulon (npub1m7p…0szf) (◠‿・)—☆ (npub1q3k…q3wu) God's Silliest Soldier (npub10pg…xu2f) wafu :Libbie_dance:❤️:wafumelon_rotate: (npub1yua…c3d4) OK, I have to back up and explain a bunch of shit about how attachments are handled on the fediverse to explain it, but I’ll keep it short…
In order for the file to execute, it needs to be on the same domain the victim is browsing from– if you accidentally load from sleepy.cafe a payload targeted at seal.cafe, it won’t work. Browser security measures prevent it.
What media proxy does is take attachements and serve them from the site you’re browsing from, as if all the attachemnts come from the same server. This makes it faster in some cases and prevents telling other sites which of your users are looking at which files. BUT– if sleepy.cafe was running media proxy, an attack targeted at seal.cafe users might in theory work, because it makes all attached files appear to come from the domain you’re browsing on.
bajax /
npub16r…nd9ze
2023-05-26 06:07:46
in reply to nevent1q…0whm
Author Public Key
npub16rws74jzn42yjxw0jzm6pt9xqrdfjat6uge5atg2035w830n8v5sgnd9zePublished at
2023-05-26 06:07:46Event JSON
{
"id": "8fdcff00d69c2dc9ab7fe76eb6e0eb0e19d262fee1c50644762a5e0c005fe6f8",
"pubkey": "d0dd0f56429d544919cf90b7a0aca600da99757ae2334ead0a7c68e3c5f33b29",
"created_at": 1685074066,
"kind": 1,
"tags": [
[
"p",
"0cc3917b13addf50990ff377bb7c4417b9e4edee535a37294f05fc7a0c11dd54",
"wss://relay.mostr.pub"
],
[
"p",
"df83a81dcdf1446cfce8df6499deb715e3332fedc56c707ffc8aafdad46ce1e3",
"wss://relay.mostr.pub"
],
[
"p",
"046dd2da464b66e7b9e881a5bb3034a33db476ba2e6c8f543cd18fd014d1570d",
"wss://relay.mostr.pub"
],
[
"p",
"78506bb9397526d4050b53359984555c391eb6319c4774429e6d52f8ec8776fa",
"wss://relay.mostr.pub"
],
[
"p",
"273bdad9d60370c39f582c828087321b1ec273accd09ed8e42abbd5c041d95d7",
"wss://relay.mostr.pub"
],
[
"e",
"82cd20983d8a805d2a8da5c7a2e04cc6419a380e8922991344a9ccd35878edf8",
"wss://relay.mostr.pub",
"reply"
],
[
"mostr",
"https://bajax.us/objects/6d0e89dd-a5f1-45a7-9e9a-b8d97181ca59"
]
],
"content": "nostr:npub1pnpez7cn4h04pxg07dmmklzyz7u7fm0w2ddrw220qh785rq3m42ql452zw nostr:npub1m7p6s8wd79zxel8gmajfnh4hzh3nxtldc4k8qllu32ha44rvu83sad0szf nostr:npub1q3ka9kjxfdnw0w0gsxjmkvp55v7mga469ekg74pu6x8aq9x32uxsk0q3wu nostr:npub10pgxhwfew5ndgpgt2v6enpz4tsu3ad33n3rhgs57d4f03my8wmaqp2xu2f nostr:npub1yuaa4kwkqdcv886c9jpgppejrv0vyuave5y7mrjz4w74cpqajhtsy5c3d4 OK, I have to back up and explain a bunch of shit about how attachments are handled on the fediverse to explain it, but I’ll keep it short…\n\nIn order for the file to execute, it needs to be on the same domain the victim is browsing from– if you accidentally load from sleepy.cafe a payload targeted at seal.cafe, it won’t work. Browser security measures prevent it. \n\nWhat media proxy does is take attachements and serve them from the site you’re browsing from, as if all the attachemnts come from the same server. This makes it faster in some cases and prevents telling other sites which of your users are looking at which files. BUT– if sleepy.cafe was running media proxy, an attack targeted at seal.cafe users might in theory work, because it makes all attached files appear to come from the domain you’re browsing on.",
"sig": "91507da6a563a4d22aed9cf09d7ddae1406766114f84fa923f45e6fe9ff6a6bbb39b7c9d010ab4284436da63bf11e558b77cc32eae6fd58c4aa9b5e580dd84f2"
}