hugo/content/post/ss-otr.md

Thu, 02 Jan 2025 16:35:59 -0600

author
Gary Kramlich <grim@reaperworld.com>
date
Thu, 02 Jan 2025 16:35:59 -0600
changeset 545
cf811d26020d
parent 540
6f0987415a0f
permissions
-rw-r--r--

Add a flathub verification token

Testing Done:
Ran with `npm run hugo:server` and verified the file was served properly.

Reviewed at https://reviews.imfreedom.org/r/3718/

---
title: "Malicious Plugin"
date: 2024-08-22T16:00:02-05:00
categories:
 - blog
---

Greetings everyone. It is with much regret that I am writing this post. A
plugin, ss-otr, was added to the [third party plugins](/plugins) list on July
6th. On August 16th we received a report from
[0xFFFC0000](https://github.com/0xFFFC0000) that the plugin contained a key
logger and shared screen shots with unwanted parties.

We quietly pulled the plugin from the list immediately and started
investigating. On August 22nd [Johnny Xmas](https://linktr.ee/johnnyxmas) was
able to confirm that a keylogger was present.

**If you happened to install this plugin, you will want to uninstall it
immediately.**

It went unnoticed at the time that the plugin was not providing any source code
and was only providing binaries for download. Going forward, we will be
requiring that all plugins that we link to have an
[OSI Approved Open Source License](https://opensource.org/licenses) and that
some level of due diligence has been done to verify that the plugin is safe for
users.

mercurial