โจ Meet blossy
The easiest way to make custom blossom servers come to life.
Think blossom server that support ecash, WoT gating and more.
All so easy to use that your LLM is going to one-shot it (probably ๐).
Login to reply
Replies (6)
Yes!
๐
Can you elaborate on the replay attack vector you mention in the README which affects the BUD-01 auth spec? What's the risk / scope of the attack? Can you provide an example?
Since `created_at` is part of the auth event, in my opinion it's easy to limit its scope on the server side to almost irrelevant by checking if the event is in the near past. Or would it break the functionality somehow?
Bit hard to follow on Macbook air btw. Next time please zoom in a bit ๐.
๐
Example of the replay attack.
- Alice wants to change her blossom server from Server 1 to Server 2
- Alice mirrors all blobs to Server 2
- Alice then sends a DELETE for all her blobs on Server 1
- Server 1 is malicious and replays all the DELETEs( with all the Auth events) to Server 2
- Result is a complete data loss
The Auth scheme is being reworked by @hzrd149 and I so it will be fixed