Varun Srinivasan
@v
QR Miniapp Update Earlier today, an attacker stole credentials from the QR miniapp and sent notifications from their apps. Users were sent to a different miniapp and encouraged to buy a fake token for $3. The QR team fixed this and reimbursed all users. Shoutout to the QR team for being very quick to respond. There is no other compromise of Farcaster wallets and your funds are safe. What is Farcaster doing to prevent this? Our transaction scanning prevents dangerous “send me all your money” attacks. That’s why the damage was limited to a $3 buy. We are also limiting miniapp notifications to redirect within the same domain. The attacker would have to compromise many more parts of the QR miniapp to pull off this attack again. What can I do to stay safe? If an app is asking you to do something that it normally does not, like buying a new token or claiming an airdrop, check the apps home page or the author’s page to see if it is legitimate before taking the action. If there is some doubt, ask the author over DM or in the feed before taking the action.
29 replies
52 recasts
310 reactions
KMac
@kmacb.eth
🎭 The 5 Stages of Farcaster Miniapp Notifications Grief Denial: Wait what‽ Our 'mini'app notification system can’t just send users straight to our 'main' app or anywhere else like sponsors sites? Nah, they wouldn’t actually do that without any warning. Anger: "If I speak, I am in big trouble." https://www.youtube.com/shorts/t5sI-0UcRQ0 Bargaining: Okay okay… How about an opt-on for users a la Trending meme coins? Talk about not safe. Or Can we can have subdomain notifs? Depression: Ugh… unplanned 'rework', what will go away next? Acceptance: Fine. Landing page first, click to button second. It's safer sure.
2 replies
0 recast
2 reactions
JE11YF15H 🪼🔵-‘
@je11yf15h
😂 420 $tipn
0 reply
0 recast
1 reaction
Varun Srinivasan
@v
Sorry for the disruption, understand you were using this behavior. But it can be worked around with a redirect from your domain in most cases and makes the notification system more secure for all users
1 reply
0 recast
2 reactions
