Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.
We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.
I’m just surprised Pidgin hasn’t been rewritten from the ground up by now. Some of the available messengers and logos in the app don’t even exist anymore.
I haven’t used pidgin in about 15 years. I miss it
I used to use pidgin for our corporate HipChat. Pidgin was the best client for HipChat. I especially liked the psychic plugin, so I could get notified as soon as someone began composing a message to me (well before they sent the message).
I wrote a small python script to send my phone a high-priority message alert whenever my boss began composing a message to me. This was especially useful when I was in the kitchen or doing laundry or something.
We lost so much when these shitty corporate messaging services went so far off the XMPP spec that we couldn’t use third party clients anymore
To be fair, if your app has its own plugin list and installler, its probably going to be vulnerable to download malicious plugins.
I don’t know of an in-app plugin installers that actually cryptographically verify signatures on downloads like apt does.
