A joint research team from NICT, Osaka University, the University of Hyogo, and NEC conducted the world’s first comprehensive security assessment of Nostr, a decentralized social networking protocol used by approximately 1.1 million people worldwide, using a combination of specification analysis, implementation research, and proof-of-concept. They identified critical vulnerabilities that could lead to post tampering, spoofing, and the recovery of encrypted direct messages. They designed attack scenarios to exploit these vulnerabilities before hackers could, verified their effectiveness, and developed countermeasures. The results of this security assessment and countermeasures were reported to app developers, suggesting improvements to the overall protocol design. They identified that structural issues, such as a lack of coordination between multiple protocol designs, combined to create critical vulnerabilities that could lead to post and profile tampering, spoofing, the forging and recovery of encrypted direct messages, and the rewriting of remittance information. They designed eight specific attack scenarios to exploit these vulnerabilities before hackers could, and verified their effectiveness using Python proof-of-concept code.

※Translating Japanese articles into English with AI