UserProfile messages use plain Envelope wrapping without Ed25519 signing. Any peer can claim any peer_id in a profile broadcast. Fix: wrap in pack_wire and verify signer == profile.peer_id. Pre-existing, found by security audit of fix/issue-108-final.
UserProfile messages use plain Envelope wrapping without Ed25519 signing. Any peer can claim any peer_id in a profile broadcast. Fix: wrap in pack_wire and verify signer == profile.peer_id. Pre-existing, found by security audit of fix/issue-108-final.