Comment by troad
2 days ago
> multiple safety warnings in Obsidian
Idk, I've always thought it was odd that the "community plugins" settings pane seemed more concerned with assuring the user that community plugins were fine than actually explaining the risk.
There is literally a single sentence about the fact that plugins "may cause data integrity and security issues", and it is hedged with the mealy-mouthed modifier "like any other software you install". The absolute majority of it - maybe 80% of the text by window height - is about the measures Obsidian does to vet and secure plugins. All of it appears to be written with the intent to placate any concerns.
Is this the safety warning? The screen that says that community plugins could cause issues "like any other software", but they're actually super safe and vetted and totally fine? Is it surprising that a person, faced with a screen like this, would be susceptible to a social engineering attack?
To replicate this attack you have to also reject two more safety warnings. The user has to accept a shared vault (you have to click "trust author of this vault"), and you have to activate syncing remote plugins.
The first safety warning assures the user that "plugin security is important to [Obsidian]". That Obsidian plugins undergo initial code review by Obsidian themselves. That "many" plugins are open source and that Obsidian has a "large community of developers who watch out for each other". (At this point I'm not sure how this screen even qualifies as a safety warning. Seems more like a billboard for enabling plugins?)
Given that vaults are just Markdown documents, and plugins are so safe (or so Obsidian seems to claim), why should a person feel at all concerned clicking yes to these prompts? Is it still a social engineering attack when the app appears to encourage you along the way? Are these even safety warnings, or just (vaguely encouraging) confirmation dialogs?
I don't see how Obsidian should come off as completely blameless here. They've always tacitly encouraged this wild west plugin ecosystem, because it's an obvious generator of value. They don't get to absolve themselves of any responsibility by pointing at safety warnings, when those "safety warnings" spend (far!) more time explaining why the user might want to click "yes" than "no".
To be clear, I like and use (and pay for!) Obsidian. But the design of Obsidian plugins was clearly broken from the beginning, and the official messaging around them has always been more encouraging than wary. This sort of event is an absolutely inevitable consequence of those decisions.
You're looking at a different screen than the ones required to replicate this attack. To replicate this attack you have to agree three separate times to increasingly scary messages.
Yes it would be good to make it less easy to shoot yourself in the foot. However, I believe users should be in control. People should be able to do powerful things if they choose to. But that will always come with the risk of misuse or social engineering.