Malicious Plugin
pidgin.im
Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties. We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.

We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.

  • __forward__@lemm.ee
    27·
    1 month ago

    Without some sort of reproducible builds (which are really finnickey to actually get) this doesn’t really help though. Adding some set of malicious patches before doing the binary release is trivial.

    • cadekat@pawb.social
      7·
      1 month ago

      You don’t need reproducible builds. You can get by if you trust whoever compiled it, like your distro’s maintainers or the pidgin developers.