Malicious Plugin
pidgin.im
Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties. We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.

We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

  • @Churbleyimyam@lemm.ee
    1924 days ago

    Was the plugin open source?

    Edit: looks like it wasn’t and the incident has prompted more more transparency. Good stuff.

    • @sugartits@lemmy.world
      624 days ago

      Unless the pidgin team are compiling the binaries themselves, this doesn’t really fix much.

      Ideally we need reproducible builds.

      • @delirious_owl
        123 days ago

        Its really not hard for them to compile themselves. This is what most package managers do