Pidgin Takes Action to Protect Users
The Pidgin messaging app has recently taken significant action to protect its users by removing the ScreenShareOTR plugin from its official third-party plugin list. This decision came after alarming reports surfaced regarding the plugin’s misuse, which included the installation of keyloggers, information stealers, and various forms of malware typically employed to infiltrate corporate networks.
Sneaky Pidgin Plugin
Pidgin, known for its open-source and cross-platform instant messaging capabilities, has long been a favored choice for users looking to integrate multiple messaging accounts into a single interface. While its popularity has waned since the mid-2000s, it continues to attract a dedicated following among tech-savvy individuals, open-source advocates, and those needing to connect with legacy instant messaging systems.
The application supports a plugin system that enhances its functionality, allowing users to download various addons from an official third-party plugins list, which currently boasts 211 options. However, a troubling development occurred when a malicious plugin named ‘ss-otr’ was added to this list on July 6, 2024. It wasn’t until August 16 that Pidgin received a report from a user indicating that the plugin was functioning as a keylogger and capturing screenshots. In response, Pidgin promptly removed the plugin and initiated an investigation. By August 22, confirmation of the keylogger’s presence was provided by security researcher Johnny Xmas.
A notable concern surrounding the ss-otr plugin is its lack of transparency; it only offered binaries for download without any accompanying source code. This absence of robust review mechanisms within Pidgin’s third-party plugin repository led to a lapse in security scrutiny.
Plugin Leads to DarkGate Malware
According to ESET, the cybersecurity firm that uncovered the plugin’s malicious nature, the installer was signed with a valid digital certificate from INTERREX – SP. Z O.O., a legitimate Polish company. While the plugin initially appeared to deliver its promised screen-sharing functionality, it also harbored malicious code capable of downloading additional binaries from an attacker’s server at jabberplugins[.]net.
The payloads delivered through this mechanism included PowerShell scripts and the notorious DarkGate malware, which was similarly signed by the Interrex certificate. This malicious strategy was not limited to the Windows version of Pidgin; a parallel approach was utilized for the Linux client, ensuring that both platforms were compromised.
ESET further reported that the now-defunct malicious server had hosted additional plugins, including OMEMO, Pidgin Paranoia, Master Password, Window Merge, and HTTP File Upload, all of which were likely involved in disseminating DarkGate. This indicates that the ScreenShareOTR plugin was merely a component of a larger, more extensive campaign.
Users who may have installed the compromised plugin are advised to remove it immediately and conduct a thorough system scan using antivirus software to detect any lingering threats from DarkGate. In light of these events, Pidgin’s maintainer and lead developer, Gary Kramlich, communicated via Mastodon that the organization does not track the number of times a plugin is installed.
To mitigate the risk of similar incidents in the future, Pidgin has announced a new policy: it will now only accept third-party plugins that possess an OSI Approved Open Source License. This change aims to ensure greater scrutiny of the code and internal functionality of plugins, thereby enhancing user security.
Update 8/27/24: Updated story to note that Pidgin does not keep track of plugin downloads.
