this post was submitted on 26 Aug 2024
201 points (99.5% liked)

Open Source

30302 readers
1709 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
201
Malicious Plugin in Pidgin (Chat Application) (pidgin.im)
submitted 3 weeks ago by [email protected] to c/[email protected]
16 comments fedilink hide all child comments
 

Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.

We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 89 points 3 weeks ago (4 children)

It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be requiring that all plugins that we link to have an OSI Approved Open Source License and that some level of due diligence has been done to verify that the plugin is safe for users.

Unfortunate that this happened, but at least they are forcing more transparency to try to minimize the ability to hide behind opaque code.

[–] [email protected] 29 points 3 weeks ago (3 children)

Without some sort of reproducible builds (which are really finnickey to actually get) this doesn't really help though. Adding some set of malicious patches before doing the binary release is trivial.

[–] [email protected] 15 points 3 weeks ago

I agree that reproducible builds would be ideal and modifying binary releases is trivial, but any step forward is better than no review process at all.

There's no such thing as a perfect system. It's all about increasing the number of hoops for an attacker to jump through. This is at least a step in the right direction.

[–] [email protected] 9 points 3 weeks ago

True. My point was more that it's an improvement, not really a broad solution.

[–] [email protected] 7 points 3 weeks ago

You don't need reproducible builds. You can get by if you trust whoever compiled it, like your distro's maintainers or the pidgin developers.