Yeah, that’s not nearly the level of big I was thinking of. It’s not a browser or WhatsApp or Word.

Admittedly, Go is popular among developers. And there are some public examples of client-side attacks targeting developers and security researchers specifically. Such attacks could hypothetically go after something like Docker. But, searching now, every single example I can find seems to either exploit a non-developer-specific target (browser, iMessage, Acrobat), or else not exploit anything and just rely on convincing people to execute a Trojan (often by sending a codebase that executes the Trojan when you build it).

That bifurcation actually surprises me and I’m not sure what to conclude from it, other than “build systems are insecure by design”. But at any rate, the lack of Go exploits doesn’t say much if we don’t see exploits of developer tools written in C either.

▲

tptacek 4 days ago | parent [-]

We routinely do see those exploits!

▲

comex 3 days ago | parent [-]

Are you talking about private examples or do you have one to share?

	▲	tptacek 3 days ago \| parent [-]
		Sure, I mean, take for example git. More broadly: a lot of people mouthing off about how thread safety issues make Go unsafe, but you're one of a small minority of commenters here who could just find something and POC it. How hard do you think that would be? I'd absolutely accept a controlled-environment serverside RCE.