An alarming situation has arisen in the community of users of the multiprotocol messenger Pidgin. A malicious component was added to the list of third-party plugins, specifically the plugin called “SS-OTR”. This plugin appeared in the list available for download on July 6, but it wasn’t until August 16 that a user with the nickname “0xFFFC0000” discovered a built-in keylogger in the plugin, which captures keystrokes and sends screenshots to third parties.
Upon learning of this information, the developers promptly removed the “SS-OTR” plugin from the list of downloadable plugins, and the Pidgin team initiated an investigation. On August 22, security specialist @johnnyxmas confirmed the presence of the keylogger in the plugin. Users who had installed “SS-OTR” were strongly advised to remove it immediately to prevent any leakage of personal information.
Furthermore, it was revealed that when the attacker added the plugin to the download list, no source code was provided, only binary files were offered for users to download. This is a clear oversight on the platform’s part. Moving forward, Pidgin plans to enhance the moderation requirements for plugins by mandating that all third-party plugins possess a license approved by the Open Source Initiative and undergo rigorous security checks.
Pidgin is a messaging program that supports multiple communication protocols in a single interface, such as XMPP, IRC, and Gadu-Gadu. Additionally, users can enhance the program’s functionality through various plugins. Pidgin is free of charge, ad-free, and its entire source code is available for modification under the GNU General Public License, enabling users to customize it to their needs and share improvements with the community. The program’s development is driven by user contributions, with regular updates addressing identified issues and incorporating new features proposed by the community.