Oddbean new post about | logout
 Unfortunatly i can reliably reproduce the steps to get to the CSAM i came across, but i wont share it. But it was not something that popped up in my feed, but as a result of a search query (to something completely unrelated to the CSAM obviously).

In this case they were kind 1063 events, hosted on one of the bigger relays that a lot of people use.
Normally 1063 event contain a URL and content (in this case a picture) is hosted somewhere else. Here, it was not a URL but the raw file in base64 encoding, which the client is then supposed to translate to a webp (though this is not part of the NIP-94 spec).

How clients handle this varies, i happened to use one at the time that is able to handle this stuff, so it displays the picture direcly. Most other clients i have tried dont and just produce a raw base64-string (luckely in this case) without transforming it into a webp picture. Or a download button that does nothing (because there is no actual url there)