That would just authenticate with the fake website, not the real one. A unique key being used for authentication is derived from the domain you're talking with.

See here:

luds/05.md

Lines 8 to 11 in 0318227

    
           ### `linkingKey` derivation for BIP-32 based wallets: 
        
           1. There exists a private `hashingKey` which is derived by user `LN WALLET` using `m/138'/0` path. 
        
           2. `LN SERVICE` full domain name is extracted from login `LNURL` and then hashed using `hmacSha256(hashingKey, full service domain name)`. Full domain name here means FQDN with last full-stop (aka "point") omitted (Example: for `https://x.y.z.com/...` it would be `x.y.z.com`).

	### `linkingKey` derivation for BIP-32 based wallets:

	1. There exists a private `hashingKey` which is derived by user `LN WALLET` using `m/138'/0` path.
	2. `LN SERVICE` full domain name is extracted from login `LNURL` and then hashed using `hmacSha256(hashingKey, full service domain name)`. Full domain name here means FQDN with last full-stop (aka "point") omitted (Example: for `https://x.y.z.com/...` it would be `x.y.z.com`).

How to protect user from fake site login with lnurl-auth #257

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions