Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ImPostingOnHN 8 hours ago

The attack here requires not just enabling community plugins, but also syncing the attacker's vault to your computer, and also separately enabling the synchronization of the attacker's plugins with yours.

guiambros 7 hours ago | parent [-]

Yes, in this specific case.

Obsidian Plugins are still incredibly vulnerable. A compromised plugin will essentially take over your machine. There's no sandboxing of any kind. It's even more insecure than browser extensions (that could steal your auth tokens, but at least don't have unfettered access to your filesystem).

This is really unfortunate. I love Obsidian and am a paid subscriber for many years, but the community plugins needs a security overhaul asap, before someone gets hurt.

Ferret7446 6 hours ago | parent [-]

The same is true for all software on your machine.

Groxx 5 hours ago | parent [-]

Not even slightly. Browser extensions are a trivial counter-example, as are all flatpacks, and anything restricted by user/group. That covers probably literally a majority of all software on your computer, because people have been voluntarily restricting their software to protect you from their potential accidents for decades.

ImPostingOnHN 4 hours ago | parent [-]

> That covers probably literally a majority of all software on your computer

If you're running GNU/Linux, chances are you'll have hundreds, if not thousands, of pieces of software that run totally unsandboxed.

Yes, a very small minority of applications are unfortunately primarily distributed via flatpak or snap, and the distributors don't care about the user experience, so it's error-ridden and problem-ridden, but chances are you can get a "normal computer program" version of it unencumbered by such grossness.

Groxx 4 hours ago | parent [-]

And tons won't be part of e.g. root, or dialout (to pick one I've had to deal with a lot lately), or many other more-privileged-than-default groups, yes. That's a permissions system working as intended.

Besides. They said "all software on your machine". That is trivially false, to a significant degree.