← Back to context

Comment by 27theo

1 year ago

Scary. I saw a tweet the other day from a job seeker who had been sent a repo of seemingly trustworthy code. The sender claimed to be working with a team that was hiring, or something along those lines. Of course, one file deeply nested within the folds of the project contained a block of obfuscated JavaScript designed to grab as much data from the job seeker as possible and transmit it elsewhere. Had the job seeker run the project without reading through it first, they would have been in hot water.

You can imagine some variant of this attack including a carefully designed Emacs Lisp payload, which the unsuspecting and desperate-for-a-job victim might open in Emacs. Surprising that the Emacs maintainers didn't fix it as quickly as you'd hope.

8 comments

27theo

Reply
medo-bear  1 year ago

Emacs doesn't market itself as a sandboxed tool. It is purpose built to give users unrivaled powers. There are obvious consequnces to this. What is more scary is running untrusted js in a browser that has been marketed as sanboxed, but you probably do this all day every day

  • __MatrixMan__  1 year ago

    Agreed. Also, I expect that malicious elisp is relatively rare, while malicious js is probably about half of it.

    • medo-bear  1 year ago

      While I'm trying to sober up people who are panicking I don't mean to downplay the dangers. The op article is quite informative and should be read by all emacs users. While malicious el code is probably rare, the value gained by compromising an emacs user (programmers academics researchers etc) compared to compromising a random js user (everyone) is probably way greater. Also very few people look at emacs security

  • emporas  1 year ago

    Could starting $ emacs --daemon, and connecting to another machine using the client act as a kind of sandboxing or it has no benefit whatsoever?

    Maybe that could be used as a starting point to implement a security strategy for some not totally trusted packages. It could complicate things, but hopefully not too much.

    • medo-bear  1 year ago

      If you are concerned about security you should not be running arbitrary programs. For example if you have a lots crypto assets, you shouldnt keep your wallet details on the same computer you are running programs you don't trust. However, practicality often forces you to adopt a more yolo approach toward security. What people often dont realise is that emacs is almost an operating system, and installing emacs packages is kinda like insralling .bat or .exe files. To me personally emacs is the single best piece of software ever produced, by a long shot, but it is a good idea to be aware of its powers.

      Emacs can infact be great for security. Its code and language are very nice and well documented and if you care to understand the code you are running and you are THAT concerned about security it can be an excellent aid toward peace of mind.

      2 replies →