I'm sure I could come up with a bunch of examples but the first thing that jumps into my head is the Docker ecosystem.

Yeah, that’s not nearly the level of big I was thinking of. It’s not a browser or WhatsApp or Word.

Admittedly, Go is popular among developers. And there are some public examples of client-side attacks targeting developers and security researchers specifically. Such attacks could hypothetically go after something like Docker. But, searching now, every single example I can find seems to either exploit a non-developer-specific target (browser, iMessage, Acrobat), or else not exploit anything and just rely on convincing people to execute a Trojan (often by sending a codebase that executes the Trojan when you build it).

That bifurcation actually surprises me and I’m not sure what to conclude from it, other than “build systems are insecure by design”. But at any rate, the lack of Go exploits doesn’t say much if we don’t see exploits of developer tools written in C either.

▲

tptacek 4 days ago | parent [-]

We routinely do see those exploits!

▲

comex 3 days ago | parent [-]

Are you talking about private examples or do you have one to share?

	▲	tptacek 3 days ago \| parent [-]
		Sure, I mean, take for example git. More broadly: a lot of people mouthing off about how thread safety issues make Go unsafe, but you're one of a small minority of commenters here who could just find something and POC it. How hard do you think that would be? I'd absolutely accept a controlled-environment serverside RCE.

▲

ameliaquining 5 days ago | parent | prev [-]

I would say that Go is common in command-line developer tooling, which is sort of client-side albeit a noncentral example of same (since it includes tools for running servers and suchlike), and rare in all other client-side domains that I can think of.