Oddbean new post about | logout
hodlbod | 23 days ago (raw) | root | parent | reply | flag +5 
 Replicated it, it's an XSS
Alex Gleason 🐍 | 23 days ago (raw) | root | parent | reply | flag +11 
 Holy shit! https://github.com/airbnb/lottie-web/issues/3127
Sebastix | 23 days ago (raw) | root | parent | reply | flag +1 
 So now we can blame Airbnb?
hodlbod | 23 days ago (raw) | root | parent | reply | flag 
 You're much faster than I am
Sovereign Bear | 23 days ago (raw) | root | parent | reply | flag 
 Amazing. I was just inspecting that too, but seemed like an innocuous library.
Sovereign Bear | 23 days ago (raw) | root | parent | reply | flag +3 
 If you're getting a wallet connect popup on primal desktop... DON'T connect to it.

nostr:note1zjqtju8gx6sr6ud0xw207ezpnn9jcgnvwlp6075fgrhtk9hd5m7quy7hng
negr0 | 23 days ago (raw) | root | parent | reply | flag 
 Están atacando
Sovereign Bear | 23 days ago (raw) | root | parent | reply | flag +1 
 I'm not sure it is specific to nostr or primal, anyone using this plugin would probably be affected.
negr0 | 23 days ago (raw) | root | parent | reply | flag +1 
 En mi caso no estoy usando primal
crypt0cranium | 23 days ago (raw) | root | parent | reply | flag +1 
 nostr:nevent1qqspfq9ewr5rdgpawxhn898lv3qeejevyfk80sa8l2y5pm4mzmk6dlqpzemhxue69uhkummnw3ex2mrfw3jhxtn0wfnj7q3qq3sle0kvfsehgsuexttt3ugjd8xdklxfwwkh559wxckmzddywnwsxpqqqqqqz3dsavw
heatherlarson | 23 days ago (raw) | root | parent | reply | flag 
 Nostr devs on top of things 🫡
Cesar Dias | 23 days ago (raw) | root | parent | reply | flag 
 Insane, primal just removed the lottie-player https://github.com/PrimalHQ/primal-web-app/commit/299a26daa1ec6ebc642e117827c9b21c0b3117ec
hodlbod | 23 days ago (raw) | root | parent | reply | flag 
 Yep, just discovered myself that this is the source of the issue: https://github.com/airbnb/lottie-web/issues/3127
jb55 | 22 days ago (raw) | root | parent | reply | flag +1 
 Last time there was an xss vulnerability on nostr (anigma) lots of people leaked their nsecs
Kräftig | 22 days ago (raw) | root | parent | reply | flag 
 The WalletConnect popup on the browser webpage. Instead of zapping it would bring up a bunch of shitcoin wallets. HodlBod clarified that it was likely an XSS Attack and was able to replicate it. Primal since removed the Lottie player. 

nostr:nevent1qqsd8r8gkljxp08q6x8rh26zevsduf26kegkvde9p57pu3qwfvv06nqpzdmhxue69uhhwmm59e6hg7r09ehkuef0qgsf03c2gsmx5ef4c9zmxvlew04gdh7u94afnknp33qvv3c94kvwxgsrqsqqqqqp7mxule