quotingI'm working on improving routing on Coracle, and ran into the issue of deep-linking creating attack vectors for malicious links. To a certain extent, this is unavoidable, people can always direct someone to a bad event or link unless there's no navigation at all.
nevent1q…gza2
I'm more concerned about attackers being able to inject a malicious relay into Coracle, for example https://coracle.social/notes?relays=wss://my-evil-relay.com in order to phish someone's pubkey and correlate their identity.
How bad is this? I'm inclined to leave relay deep-linking out. But then relays are a resource in their own right, so I don't know if it's possible. Maybe ask for user approval before connecting to any relay not in their own relay list? This would cover malicious relay injection via NIP 65 as well.
hodlbod on Nostr: I'm not sure this is a real issue, but it does highlight the fact that if you combine ...
I'm not sure this is a real issue, but it does highlight the fact that if you combine 1. user-generated content and 2. arbitrary server connections you drastically increase your attack service area