The widely-used open-source messaging application Pidgin recently discovered that a keylogger plugin had been listed on its official third-party plugins repository for over a month, raising concerns about the platform's security protocols.
The plugin, named “ss-otr,” was added to the repository on July 6th, but it was only on August 16th that the first report of its malicious nature surfaced. This serious breach highlights the inherent risks of using third-party plugins without rigorous security checks.
Pidgin, a free, open-source instant messaging client, supports multiple chat networks, including AIM, Google Talk, ICQ, XMPP, and more. Originally known as “Gaim,” Pidgin has a large user base, particularly among those who value open-source software for personal and professional communication. Despite its popularity and long-standing reputation, the incident with the “ss-otr” plugin underscores significant vulnerabilities in its plugin ecosystem.
The breach was first identified by user “0xFFFC0000,” who discovered that the “ss-otr” plugin contained a keylogger—a type of malware that records keystrokes to steal sensitive information. Additionally, the plugin was found to take screenshots and share them with unauthorized parties. This discovery led Pidgin to immediately remove the plugin from its repository and initiate an investigation. By August 22nd, cybersecurity expert Johnny Xmas confirmed the presence of the keylogger within the plugin.
One critical oversight in this incident was the failure to recognize that the plugin only provided binary files for download without accompanying source code. This lack of transparency should have been a red flag, as open-source software relies on the availability of source code to allow for community audits and ensure security.
Upgrading Pidgin’s security
In response to the incident, Pidgin has announced that all third-party plugins listed in its repository will now be required to have an OSI Approved Open Source License. This measure ensures that the source code is available for review, making it easier to detect potential security threats.
The Open Source Initiative (OSI) is a global non-profit organization that promotes and protects open-source software by ensuring that licenses comply with the Open Source Definition. These licenses guarantee that software can be freely used, modified, and shared. By mandating that all plugins adhere to an OSI Approved Open Source License, Pidgin aims to restore user trust and prevent similar incidents from occurring in the future.
This incident has highlighted the potential dangers of relying on third-party plugins, especially when they do not undergo proper security vetting. Users who installed the “ss-otr” plugin are urged to uninstall it immediately to safeguard their data. The incident serves as a cautionary tale for all open-source projects, emphasizing the need for continuous vigilance and robust security measures.
Researcher Discovers Kill-Switch for Mirai Botnet and Variants
Leave a Reply