this post was submitted on 26 Aug 2024
202 points (99.5% liked)

Open Source

31061 readers
358 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.

We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 89 points 2 months ago (1 children)

It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be requiring that all plugins that we link to have an OSI Approved Open Source License and that some level of due diligence has been done to verify that the plugin is safe for users.

Unfortunate that this happened, but at least they are forcing more transparency to try to minimize the ability to hide behind opaque code.

[–] [email protected] 29 points 2 months ago (3 children)

Without some sort of reproducible builds (which are really finnickey to actually get) this doesn't really help though. Adding some set of malicious patches before doing the binary release is trivial.

[–] [email protected] 16 points 2 months ago

I agree that reproducible builds would be ideal and modifying binary releases is trivial, but any step forward is better than no review process at all.

There's no such thing as a perfect system. It's all about increasing the number of hoops for an attacker to jump through. This is at least a step in the right direction.

[–] [email protected] 9 points 2 months ago

True. My point was more that it's an improvement, not really a broad solution.

[–] [email protected] 7 points 2 months ago

You don't need reproducible builds. You can get by if you trust whoever compiled it, like your distro's maintainers or the pidgin developers.

[–] [email protected] 20 points 2 months ago

I'm just surprised Pidgin hasn't been rewritten from the ground up by now. Some of the available messengers and logos in the app don't even exist anymore.

[–] [email protected] 20 points 2 months ago

I haven't used pidgin in about 15 years. I miss it

[–] [email protected] 19 points 2 months ago* (last edited 2 months ago) (1 children)

Was the plugin open source?

Edit: looks like it wasn't and the incident has prompted more more transparency. Good stuff.

[–] [email protected] 6 points 2 months ago (1 children)

Unless the pidgin team are compiling the binaries themselves, this doesn't really fix much.

Ideally we need reproducible builds.

[–] [email protected] 1 points 2 months ago

Its really not hard for them to compile themselves. This is what most package managers do

[–] [email protected] 18 points 2 months ago (1 children)

This danger is why I quit using the Purple Teams plugin for Pidgin: it works well enough (considering Teams isn't exactly open to third-party clients, it works amazingly well in fact) it's GPL-3.0, the source is provided and I compiled it.

So I believe it's clean, but that's not good enough for me to hit our corporate Teams channels with it and I don't have the time to audit the code. Not to mention, while my company trusts my good judgment, I'm pretty sure running an unauthorized client is against IT policies.

So I dropped it, sadly. It's a bummer because Pidgin uses a fraction of the resources needed by that pig of an Electron app - the official client - made by Microsoft.

[–] [email protected] 5 points 2 months ago* (last edited 2 months ago)

The newest Teams app (and I think newest Outlook amongst others) is using system/Edge provided WebViews rather than Electron, which I guess takes care of the “each app gets its own Chrome instance” part of the Electron bloat. It’s so far running better than old Teams for me. On my old work laptop, the fans spun up the second the old Teams client launched lol

[–] [email protected] 14 points 2 months ago

This is still a thing? I used this in the age of AIM and didn't know it stuck around past the shutdown

[–] [email protected] 11 points 2 months ago

I used to use pidgin for our corporate HipChat. Pidgin was the best client for HipChat. I especially liked the psychic plugin, so I could get notified as soon as someone began composing a message to me (well before they sent the message).

I wrote a small python script to send my phone a high-priority message alert whenever my boss began composing a message to me. This was especially useful when I was in the kitchen or doing laundry or something.

We lost so much when these shitty corporate messaging services went so far off the XMPP spec that we couldn't use third party clients anymore

[–] [email protected] 10 points 2 months ago

By the way; which messaging platforms, protocols or 'services' are currently supported by Pidgin? I haven't looked at it in a while.

[–] [email protected] 2 points 2 months ago

To be fair, if your app has its own plugin list and installler, its probably going to be vulnerable to download malicious plugins.

I don't know of an in-app plugin installers that actually cryptographically verify signatures on downloads like apt does.