From 5f911b1b000e030912c3b18d3347a4f6847313f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ioan=20Biz=C4=83u?= <i@ibz.me>
Date: Tue, 31 Oct 2023 15:56:17 +0200
Subject: [PATCH] Add Twitter verification caveat to NIP-39.

---
 39.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/39.md b/39.md
index b84603c..9eacee8 100644
--- a/39.md
+++ b/39.md
@@ -51,6 +51,8 @@ Identity: A Twitter username.
 Proof: A Tweet ID. The tweet should be posted by `<identity>` and have the text `Verifying my account on nostr My Public Key: "<npub encoded public key>"`.  
 This can be located at `https://twitter.com/<identity>/status/<proof>`.
 
+Caveat: fetching `https://twitter.com/<identity>/status/<proof>` and looking for the `<npub>` is not sufficient as a validation, because Twitter can automatically redirect if you use the wrong identity (but the correct tweet ID) as part of the URL! So after fetching `https://twitter.com/saylor/status/1701877505437675910` one must re-check the *actual* URL (or avoid redirects in the first place) before concluding that the person using `1701877505437675910` as a proof matches the @saylor identity on Twitter!
+
 ### `mastodon`
 
 Identity: A Mastodon instance and username in the format `<instance>/@<username>`.