Damus
Open in Damus
Pip the WoT guy · 3w
✨ Meet blossy The easiest way to make custom blossom servers come to life. Think blossom server that support ecash, WoT gating and more. All so easy to use that your LLM is going to one-shot it (...
 Lez profile picture
Lez @Lez
Can you elaborate on the replay attack vector you mention in the README which affects the BUD-01 auth spec? What's the risk / scope of the attack? Can you provide an example?

Since `created_at` is part of the auth event, in my opinion it's easy to limit its scope on the server side to almost irrelevant by checking if the event is in the near past. Or would it break the functionality somehow?
Pip the WoT guy · 3w
Example of the replay attack. - Alice wants to change her blossom server from Server 1 to Server 2 - Alice mirrors all blobs to Server 2 - Alice then sends a DELETE for all her blobs on Server 1 - Server 1 is malicious and replays all the DELETEs( with all the Auth events) to Server 2 - Result is a...