logoalt Hacker News

slowmoveryesterday at 10:28 PM2 repliesview on HN

> The victim is prompted to enable the "Installed community plugins" synchronization feature.

Obsidian has the proper protections in place to prevent this type of attack, and the victims are being convinced to ignore them. This is just a successful social engineering event. I hate to see Obsidian dragged down by this headline, since this attack is not exploiting a vulnerability in it or its plugin system.

Replies

Groxxyesterday at 11:09 PM

Ehm. No? https://obsidian.md/help/plugin-security#Plugin+capabilities

>Due to technical limitations, Obsidian cannot reliably restrict plugins to specific permissions or access levels. This means that plugins will inherit Obsidian's access levels. As a result, consider the following examples of what community plugins can do:

    Community plugins can access files on your computer.
    Community plugins can connect to internet.
    Community plugins can install additional programs.
Obsidian has no protection at all. Installing a plugin gives it full access to your computer.

This was only a matter of time, and honestly I think it's inexcusably negligent that they shipped a plugin system like this at all since about 2010 (or arguably much earlier).

show 3 replies
cmbaileyyesterday at 10:32 PM

Right, I'm a heavy Obsidian user myself, and love it.

I think the value of this disclosure is more in spreading awareness about plugins, and demonstrating the vector. Where less sophisticated users may think, "Oh, this is just a collection of markdown files. I don't need to be too worried about malicious code."