Malware infiltrates Pidgin messenger's official plugin repository

Zerodium [0] [1] offered $100k for a remote code execution exploit for Pidgen about 3 years ago, the offer ran from June to September of 2021. Governments and a lot of bad agents must really want to get into that app.<p>I haven&#x27;t used it for years since AIM and ICQ became unpopular to my peers, and most places like Google dropped XMPP support. Perhaps Pidgen added support and became a great chat client for some protocol on the rise that I am unaware. Is it still widely deployed in certain contexts or countries?<p>[0] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;rw_grim&#x2F;status&#x2F;1399817799657218059" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;rw_grim&#x2F;status&#x2F;1399817799657218059</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27371612">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27371612</a>

Original announcement: <a href="https:&#x2F;&#x2F;pidgin.im&#x2F;posts&#x2F;2024-08-malicious-plugin&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pidgin.im&#x2F;posts&#x2F;2024-08-malicious-plugin&#x2F;</a><p>LWN: <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;987320&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;987320&#x2F;</a><p>The plugin provided some kind of screen sharing.

I used to use pidgin years ago before social media ruined the internet as a central place to message people across different services. I didn&#x27;t know it was still going in the social media&#x2F;walled garden age.

&gt; To prevent similar incidents from happening in the future, Pidgin announced that, from now on, it will only accept third-party plugins that have an OSI Approved Open Source License, allowing scrutiny into their code and internal functionality.<p>This is an understandable policy, but how would it have stymied the attacker in this case? It&#x27;s unlikely that Windows users would be building from source (and Darkgate appears to be Windows only). Unless there&#x27;s a policy that Pidgin extensions are strictly reproducible, it seems unlikely that the presence of an adjacent, benign source artifact would have increased the likelihood of early discovery.

Pidgin (and its OTR plugin) used to be the most popular client for OTR (Off-The-Record, an encryption protocol) messaging. That was my experience about 10 years ago and back then I think the plugins were known to be a weak point in its security.

&gt; <i>A red flag is that ss-otr only provided binaries for download and not any source code, but due to the lack of robust reviewing mechanisms in Pidgin&#x27;s third-party plugin repository, nobody questioned its security.</i><p>Opaque binaries without deterministic builds are an open source supply chain security hole that we will slowly, inevitably narrow. There will be much kicking and screaming along the way, though.

oh wow. I have become fond of pidgin over the years. There is a slack plugin that makes life a lot better. It seems for plugins, extensions, app stores, and general third-party repositories (pip, npm, crates, etc) risks are increasing. Centralization breeds certain risks that are tough to mitigate. So far, mitigating these risks involve trusting a central steward, cryptographic signing, and contributor reputation.I wonder if we can ever truly mitigate the contributor or steward aspects?

Intersting. Pidgin and variations are used by some gov orgs.

Surprise! In-app plugin repos are a supply-chain disaster zone. I had to walk away from a project that wouldn&#x27;t take the threat seriously lest I get caught up in the fallout when it all goes horribly wrong.

Is Pidgen still the default IRC client bundled with Tails?

was this the malicious plugin? (from the reddit thread [0])<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jabberplugins&#x2F;pidgin-screenshare">https:&#x2F;&#x2F;github.com&#x2F;jabberplugins&#x2F;pidgin-screenshare</a><p><pre><code> The plugin uses a reverse-tunneling SocketIO-server (to bypass NAT) on https:&#x2F;&#x2F;jabberplugins.net (*hosted by me*) which is used for routing OTR-encrypted (if enabled) screenshare packets between you &amp; your buddy. </code></pre> It also includes the libotr lib, modified by the author.<p>I&#x27;d love to read the analysis by Johnny Xmas, the report from 0xfffc0000 and even the binary so other people can test it with other tools and&#x2F;or analyze it.<p>[0] <a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;linux&#x2F;comments&#x2F;1f1jv08&#x2F;comment&#x2F;lk1oa70&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;linux&#x2F;comments&#x2F;1f1jv08&#x2F;comment&#x2F;lk1o...</a>