[HN Gopher] Malware infiltrates Pidgin messenger's official plug...
___________________________________________________________________
Malware infiltrates Pidgin messenger's official plugin repository
Author : mikece
Score : 113 points
Date : 2024-08-27 18:02 UTC (4 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| itohihiyt wrote:
| I used to use pidgin years ago before social media ruined the
| internet as a central place to message people across different
| services. I didn't know it was still going in the social
| media/walled garden age.
| rw_grim wrote:
| Yeah we're still here and trying to get an experimental pre-
| alpha release of Pidgin3 out by the end of the year.
| Unfortunately basically everything had to change to support
| modern chat features, so initial protocol support is going to
| be very light.
| blueflow wrote:
| Original announcement: https://pidgin.im/posts/2024-08-malicious-
| plugin/
|
| LWN: https://lwn.net/Articles/987320/
|
| The plugin provided some kind of screen sharing.
| rw_grim wrote:
| A more in-depth post will be coming soon. I'm working on the
| first draft of it tonight on everything that happened.
| molticrystal wrote:
| Zerodium [0] [1] offered $100k for a remote code execution
| exploit for Pidgen about 3 years ago, the offer ran from June to
| September of 2021. Governments and a lot of bad agents must
| really want to get into that app.
|
| I haven't used it for years since AIM and ICQ became unpopular to
| my peers, and most places like Google dropped XMPP support.
| Perhaps Pidgen added support and became a great chat client for
| some protocol on the rise that I am unaware. Is it still widely
| deployed in certain contexts or countries?
|
| [0] https://twitter.com/rw_grim/status/1399817799657218059
|
| [1] https://news.ycombinator.com/item?id=27371612
| rw_grim wrote:
| We're finally gearing up to have an experimental release of
| Pidgin 3.0 by the end of the year, but the goal right now only
| include the IRC protocol. But everything has been updated to
| support all of the newer chat features so support for other
| protocols should come quick.
| secfirstmd wrote:
| Intersting. Pidgin and variations are used by some gov orgs.
| chewbaxxa wrote:
| Pidgin (and its OTR plugin) used to be the most popular client
| for OTR (Off-The-Record, an encryption protocol) messaging. That
| was my experience about 10 years ago and back then I think the
| plugins were known to be a weak point in its security.
| ris wrote:
| Surprise! In-app plugin repos are a supply-chain disaster zone. I
| had to walk away from a project that wouldn't take the threat
| seriously lest I get caught up in the fallout when it all goes
| horribly wrong.
| vxxzy wrote:
| oh wow. I have become fond of pidgin over the years. There is a
| slack plugin that makes life a lot better. It seems for plugins,
| extensions, app stores, and general third-party repositories
| (pip, npm, crates, etc) risks are increasing. Centralization
| breeds certain risks that are tough to mitigate. So far,
| mitigating these risks involve trusting a central steward,
| cryptographic signing, and contributor reputation.I wonder if we
| can ever truly mitigate the contributor or steward aspects?
___________________________________________________________________
(page generated 2024-08-27 23:00 UTC)