I currently don't understand why this feature is present in bitcoin-qt (sending messages is something I use eMail or Jabber for)
The feature is there to allow people to prove that they are the owners of a specific address.
Can anyone give an example how such an attack would look like?
An attack would essentially require the combination of
1. A negligent service provider, C, requesting signing a random code to prove ownership.
2. A negligent customer, A, willing to sign arbitrary data.
3. An attacker, B, in a position to convince A to sign a message. The attack will allow him to usurp A.
The attack goes more or less like this:
B to C: Hi, I just sent you payment from address X, I want a pink pony.
C to B: Sure, but first you need to prove that you own address X. Please sign the following - "fkj32yf7834hfzjkh".
B to A: Can you please sign this for me? "fkj32yf7834hfzjkh"
A to B: Here you go - "xnjkxyh3789dfy2389fhk"
B to C: The signature is "xnjkxyh3789dfy2389fhk".
C to B: Thanks, pony sent!
How the attack would be thwarted:
B to C: Hi, I just sent you payment from address X, I want a pink pony.
C to B: Sure, but first you need to prove that you own address X. Please sign the following - "I want C to send me a pink pony".
B to A: Can you please sign this for me? "I want C to send me a pink pony"
A to B: Wait, what? I don't want a pink pony.
