← Back to context

Comment by guiambros

3 days ago

Yes, in this specific case.

Obsidian Plugins are still incredibly vulnerable. A compromised plugin will essentially take over your machine. There's no sandboxing of any kind. It's even more insecure than browser extensions (that could steal your auth tokens, but at least don't have unfettered access to your filesystem).

This is really unfortunate. I love Obsidian and am a paid subscriber for many years, but the community plugins needs a security overhaul asap, before someone gets hurt.

11 comments

guiambros

Reply
Ferret7446  3 days ago

The same is true for all software on your machine.

  • Groxx  3 days ago

    Not even slightly. Browser extensions are a trivial counter-example, as are all flatpacks, and anything restricted by user/group. That covers probably literally a majority of all software on your computer, because people have been voluntarily restricting their software to protect you from their potential accidents for decades.

    • Flimm  3 days ago

      In practise, Flatpak packages have many more permissions than you might expect, and the sandbox feature gives a false sense of security. For example, the Obsidian Flatpak package [0] is given all of the following abilities without explicit permission from the user (the user has to know where to look to find out about them):

      - Home folder read/write access

      - System folder media

      - System folder mnt

      - Microphone access and audio playback

      - And more...

      The Obsidian snap [1] is installed with the --classic flag, which also grants access to the whole home directory, but at least you have to consciously specify the --classic flag to grant this permission.

      [0] - https://flathub.org/en/apps/md.obsidian.Obsidian

      [1] - https://snapcraft.io/obsidian

      1 reply →

    • ImPostingOnHN  3 days ago

      > That covers probably literally a majority of all software on your computer

      If you're running GNU/Linux, chances are you'll have hundreds, if not thousands, of pieces of software that run totally unsandboxed.

      Yes, a very small minority of applications are unfortunately primarily distributed via flatpak or snap, and the distributors don't care about the user experience, so it's error-ridden and problem-ridden, but chances are you can get a "normal computer program" version of it unencumbered by such grossness.

      4 replies →

    • poulpy123  2 days ago

      > flatpacks

      flatpacks have access to all my files, they would be useless without. And they are the only sensitive files in my computers

    • Capricorn2481  2 days ago

      So in other words, yes the apps have full filesystem access unless you specifically sandbox them with the OS.