Obsidian CEO here. There is a major update coming soon for plugin security. I think it will address many of the concerns people have raised in this thread. It's a hard problem but we are working on it.
That said, the headline is misleading. This article is about a social engineering attack that requires the user to actively reject multiple safety warnings in Obsidian. As far as I know this is a proof of concept, I haven't seen any reports of users being affected by this attack.
lol we told you plugins were insecure years ago. I distinctly remember getting flamed in your discord because I said that they had full disk access. Too little too late.
The insecurity is part of the benefit. Obsidian being so open, allowing easy customizing is what makes it great. They should add some more bells, whistles and guards to prevent sneaky social attacks, but they can't close Obsidian all together, or it would kill the app.
What do you propose? Even if they configure node's lowest level file APIs to block any access to paths outside the vault, plugins can still execute arbitrary shell commands who will have access to the entire OS.
And before you say it's useless and should be stopped too, well, that's a fine opinion! But then you lose plugins providing git integration, automated backups, document conversion using pandoc, etc. Many users might value that greatly.
A permission system for their plugins might be the only solution, annoying permission request popups and all.
That's a good point. I think I'd solve this in two steps.
0) scripts and plugins should only be able to operate on the text in the vault. Just like how I expect a snippet of JavaScript running in my browser to only have access to the website and not to my entire disk.
1) Any commands that run outside of this sandbox need to be approved first. Obviously this could get annoying, but there's tricks you could use here to help.
Obviously this is a high level approach and I'm not on their team, so this is basically armchair programming. But since you asked, it's okay. ;)
In 2026, applications, third or even first party, don't need to have full-disk access, and are not given either. They see a jailroot environment. I give full disk access to the terminal app, and a handful of others. 90% of them, nope.
At least that's the case in macOS, I'm pretty sure Windows can do that too. Linux of course has had such capability since forever, but I guess most distros you need to manually take care of it.
This is implemented the wrong way around. Each program should only have access to its own folders by default, with it being possible to grant additional access. Also, I don't believe Endpoint stuff is included in the normal Windows license.
Maybe it isn't built-in, but most Windows user I've worked with, including myself, have been using Sandboxie for probably two decades at this point, probably hard to find any Windows software that is more ubiquitous than Sandboxie in developer circles.
Sandboxie is essentially a giant pile of fragile hacks on top of a Windows API that does not want to be used this way. Does it seem like it works most of the time? Sure. Has it had bypasses? Also yes. I've used it in the past but I don't truly trust it.
Yes you can sandbox Obsidian on the OS. The point they're making is nearly every third party program ships Without sandboxing. There's nothing special about Obsidian here.
This hardening is enabled by default with Gatekeeper. That includes Homebrew apps, unless you disable it.
When an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).
That's probably all the hardening the average person needs. BlockBlock because most malware tries to get persistence. Little Snitch or LuLu for fine-grained whitelisting of network requests for any apps that have plugins (e.g. you give Documents permissions to Obsidian, plugins inherit that, but they can't exfiltrate if you only allow requests to trusted domains).
I've never tried to do this or similar in Windows (obviously easy in unix-like environments) but I'm going to bet it's far more trouble than it's worth for 99% of users
On macOS at least those 99% of users are probably installing from the App Store, where apps are sandboxed by default and need to explicitly ask for access to paths outside that sandbox. Even when not installed from the App Store a permission dialogue is popped if an application tries to read from sensitive paths like your photo library.
Does that help in this case though? I think the worry is that a rogue Obsidian plugin does bad stuff with your Obsidian vault, not just do stuff to the rest of the computer. But that vault/those notes live in the same sandbox as the (rogue) 3rd party plugin, which doesn't help with that, they really need to be isolated away from the notes themselves.
Anything that reduces the blast radius helps. There should still be a focus on further hardening. Most value comes from exploits that enable pivots. Attackers will focus on other vectors that enable broader pivots because immediate high value notes only exist for a limited set of users.
Lol it's a social engineering attack. What are you talking about. Don't run programs you don't trust, especially when being asked to do so by strangers on the line.
Obsidian is great. And glad to see how you’re looking at plugin security. But one more thing you should consider is: How do you reduce the need for plugins for basic product behavior. E.g., I use a plugin to be able to open a file in new tab instead of replacing current tab. That should be a setting, not a plugin I’m forced to use.
I don't understand the hate here. Obsidian is a well working product that scratches many inches. Plugins allow to scratch some more itches, but are not mandatory.
I am using several plugins and would prefer not to, but they allow me to bring the (mobile) app closer to what I want (notably templater and homepage as I want to get a new daily note sorted in monthly folders, which obsidian doesn't seem to allow natively).
Maybe an alternative would also be to more explicitly allow users to create their own scripts - but maybe that's possible and I just don't know.
Overall I think the key challenge with obsidian use is that it offers too much, and there's a lot to fiddle with. While it will bother the power users probably best would be to just move on many ways to "default" behaviours and e.g. make many of the "core plugins" just settings to make the list lsss overwhelming.
I don't know how hard it would be but IMHO adding some kind of permissions dialog(?) akin to Android would go a long way. 99% of Obsidian plugins don't need full disk access, or internet access for that matter.
That'd require some sort of sandbox, which they already seem to not want to have, for whatever reason. If you don't want that, and you want to use JS, building any sort of permission system on top of that that you cannot easily work around, gets really tricky if not impossible.
Obsidian stands beside the terminal and Firefox as one of the pieces of software I use the most every single day. Thank you for all you're doing.
-
I've read the article describing the attack, and my very first thought was utter surprise that the entire attack chain started with someone accepting a shared vault from a stranger via social media (linked in and similar). That seems really, really strange to me.
I've never shared a vault - but if I did, I'd probably do so as a git repo of markdown files.
It would be interesting to see a blog post from Obsidian about "good hygiene for sharing vaults".
Will that new security interfere with plugin functionality though? I can't really do without some of them, in particular selfhosted-livesync. It's not even that I don't want to pay you for hosting my notes, it's that I don't want them on somebody else's server even end to end encrypted. If I could pay and run my own official sync server I probably would.
Is this like a popup? which most people actively accept without blinking
I think plugin/extensions should be a bit harder to run by default. I get the user friction from extra hurdles before using their plugins etc., but I don't think there is an actually safe way to execute arbitrary code, unaudited, without sandboxing, or other restrictions.
The pop-ups and "social engineering" in question are things that any users in HN likely already accepted, which is to enable community plugins.
These community plugins are the backbone of Obsidian and where a lot of the meat is behind its fame come from.
There's no protections beyond that, community plugins can do whatever they want. Thankfully, the vast majority of them are open-source.
As someone who doesn't use shared vaults - would the warning popup, 'to enable the "Installed community plugins" synchronization feature', not be on a per shared vault basis? Is trusting a single shared vault for plugin sync going to mean I sync my plugins for every shared vault?
IMO that's an issue in and of itself, but it doesn't read that way in the (very unclear) original article.
I've been using obsidian for years as a paying customer. Will continue to pay as price point is good and it just works. However, unless plugin security massively improves I will never install any plugins.
If you can build in one thing, I'd pick something equivalent to Omnisearch. That makes it much easier to find things. I always struggle with the default search.
This is pearl clutching. This feels like a massive overreaction. If you don't want to use it because it's not open source, that's fine, but you're spreading a lot of snarky FUD about the creators.
They are not making excuses, they stated clearly why open sourcing it is tangential to this problem at best, and they're not the only user to call out the hijacking of the thread. They have been quite clear about why they keep it closed source, so I don't know why you're making it sound like they are lying to their users.
Your rant about audits has little to do with the article too. Telling everyone we're going to get rug pulled is exactly the kind of performative FUD that is meant to get a reaction more than anything.
Speaking for myself, I'm going to keep using it, because nothing has come close to the convenience and performance. Would love an open source alternative to prove me wrong, but I haven't seen it.
That's your opinion. I respect your choices and your opinions. I speak for myself. This is the first time I've seen this company's CEO post somewhere. I really couldn't trust this software less.
To be fair, when someone comes up with excuses for not making something open source, it comes off as dishonest. Be honest. Say that you want to keep it closed to keep control and make money. There's no need to say otherwise. I do the same. I keep code private to make money. I don't say more than that.
You'll see a plethora of such apps made with LLMs. People will write something custom to meet their own needs and to have the features they need.
If you look at my GitHub profile[1] you'll see that the majority of my time is spent on open source. But my priority is open sourcing the tools and libraries I would want if I were building an alternative to Obsidian (Defuddle, JSON Canvas, Web Clipper, Importer, Flexoki, etc) because I believe all software is ephemeral and that files matter more than apps[2].
Obsidian is a free app made by seven people. If we were purely financially-motivated there are many levers we could have pulled, e.g. adding feature gates, not allowing alternatives to our paid services into the official directory, etc. But as I wrote in the tweet linked above, I have spent decades making open source projects and those have never paid the bills. So yes, there is some financial motivation behind that decision.
I've read your twitter post. That makes sense. I've read a blog post or some kind forum thread in which it was said that the maintenance of Obsidian as an open source project would be an issue and some other similar statements. This was a while ago.
Some are OK with the use of a closed source note taking app. Perhaps an enterprise version with a different feature set might be useful to companies.
For notes written on my own computer, I use open source software to write and handle the sync myself.
> when someone comes up with excuses for not making something open source
This is a wild take even coming from HN. Nobody needs an excuse to not make something open source.
This sort of entitlement does, and has done, far more damage to the OSS movement than anyone's "excuses" for not open sourcing their code. Full stop.
You can absolutely prefer open source software and choose not to trust closed-source apps. That’s all fair. But treating closed source itself as evidence of deception or impending betrayal is exactly the kind of ideological purity test that makes these conversations exhausting.
You've got it backwards. It's the fact that long arguments were written against making it open source that have determined me to make that statement. You don't have to provide an argument for not making it open source. It's the fact that arguments were made against making it open source or at least source available.
The business model is obvious. Sell the sync service.
"Oh, please, say you want to keep it closed source because you're afraid you'll lose money and control."
That's not good enough for open source zealots. That's when you end up being the headliner in an endless flood of blog posts and detailing comments telling everyone you're a 'proprietary evil man'.
It's open source or nothing. And how dare you make money.
LMAO. That won't happen in a million years. They are bending over backwards not to give proper file access on iOS so they can sell subscriptions. Do you think they would do such a crazy thing? I bet you my life savings it won't happen.
They are being roasted in the comments because they give file access to the plugins, now they are bad because they don't give file access. There is no winning lmao
Idk, I've always thought it was odd that the "community plugins" settings pane seemed more concerned with assuring the user that community plugins were fine than actually explaining the risk.
There is literally a single sentence about the fact that plugins "may cause data integrity and security issues", and it is hedged with the mealy-mouthed modifier "like any other software you install". The absolute majority of it - maybe 80% of the text by window height - is about the measures Obsidian does to vet and secure plugins. All of it appears to be written with the intent to placate any concerns.
Is this the safety warning? The screen that says that community plugins could cause issues "like any other software", but they're actually super safe and vetted and totally fine? Is it surprising that a person, faced with a screen like this, would be susceptible to a social engineering attack?
To replicate this attack you have to also reject two more safety warnings. The user has to accept a shared vault (you have to click "trust author of this vault"), and you have to activate syncing remote plugins.
The first safety warning assures the user that "plugin security is important to [Obsidian]". That Obsidian plugins undergo initial code review by Obsidian themselves. That "many" plugins are open source and that Obsidian has a "large community of developers who watch out for each other". (At this point I'm not sure how this screen even qualifies as a safety warning. Seems more like a billboard for enabling plugins?)
Given that vaults are just Markdown documents, and plugins are so safe (or so Obsidian seems to claim), why should a person feel at all concerned clicking yes to these prompts? Is it still a social engineering attack when the app appears to encourage you along the way? Are these even safety warnings, or just (vaguely encouraging) confirmation dialogs?
I don't see how Obsidian should come off as completely blameless here. They've always tacitly encouraged this wild west plugin ecosystem, because it's an obvious generator of value. They don't get to absolve themselves of any responsibility by pointing at safety warnings, when those "safety warnings" spend (far!) more time explaining why the user might want to click "yes" than "no".
To be clear, I like and use (and pay for!) Obsidian. But the design of Obsidian plugins was clearly broken from the beginning, and the official messaging around them has always been more encouraging than wary. This sort of event is an absolutely inevitable consequence of those decisions.
You're looking at a different screen than the ones required to replicate this attack. To replicate this attack you have to agree three separate times to increasingly scary messages.
Yes it would be good to make it less easy to shoot yourself in the foot. However, I believe users should be in control. People should be able to do powerful things if they choose to. But that will always come with the risk of misuse or social engineering.
Get real, kepano. You’re overestimating the consciousness of most casual users. Having godmode, RCE-capable plug-ins behind few safety warnings that most people will happily ignore to get shit done is not good engineering. I understand the constraints. In your shoes I would at minimum make a different version of the app in which you could allow these plug-ins and not put them under trivial banners within the canonical version of the app. You say you have banners, but these sit in the natural flow of the user journey, the options are clearly available and these banners are merely to exempt you from any liability, not to protect the users.
Chrome gutted extension capabilities for safety and now it is so useless, politically unwanted extensions have "lite" versions and every big project and their dog ship their own chromium browser.
I use Obsidian because it does not treat me like a child. They can add more nags and banners for normies, but the capabilities should remain.
I have to agree. You can keep pulling that logic back another step (and that seems to have been happening for many steps now) to the point that you no longer have the ability to use the computer.
This can't be dismissed as "slippery slope" logic either. Should elderly people with a bank account be allowed to use a computer? They might read something online and give their savings to a scammer. Frankly, that's a far more convincing argument than the one given here. There's only one solution if your objective function is exclusively to minimize the possibility of a security incident.
Whoa there, am I missing something, why so aggressive and immediately with the ad homs?
I think by that logic dangerously-skip-permissions and openclaw should've never been a thing. I agree that people use them too liberally, but I think at some point you have to find a balance between systemic safety risks and individual freedom.
> Tags and banners do not work. Completely understandable that someone as dismissive and seemingly isolated as you wouldn’t understand that.
One can reduce every tool to a toy and justify it with some hand-wavy security slop, but removing capabilities destroys use cases.
The ability to control your tools is good. You should be able to run anything on your devices. Therefore, those who propose the toyification of tools should carry the burden of justifying the change.
The same infantilization of users currently happens with Signal, where high-level decision makers are asked by strangers to share their deepest secrets. Since these strangers introduce themselves very nicely, users start blurting out their secrets. ... now everyone is pretending this is a Signal problem. It is not. The world is not a kindergarten and people have agency.
A good compromise is to set a safe mode as the default and include an option that lets users confirm they know what they are doing. Obsidian already does this. Given that, I do not understand why anyone would demand to make the entire tool worse.
I wonder: What level of user effort would make you comfortable with users exiting safe modes? Would you want users to be able to run software with full permissions at all?
Since we have your attention here, let me go on an unrelated note and ask whether you could look into Noteplan's workflow and see if you can add some of the required functionalities to enable replication of its workflow (https://help.noteplan.co/article/160-weekly-planning)?
Plugins like Tasks do offer a Query functionality that allows me to list e.g. weekly tasks on my daily template, replicating most of Noteplan's workflow, except Noteplan relies on being able to easily link those tasks into daily template by drag and dropping them, which internally assigns a unique but hidden by default ID in ^129abz notation (https://help.noteplan.co/article/138-synced-blocks). The latter is already supported by Obsidian, it's just not as "clean" and, AFAIK, impossible to get done when drag and dropping.
That said, the headline is misleading. This article is about a social engineering attack that requires the user to actively reject multiple safety warnings in Obsidian. As far as I know this is a proof of concept, I haven't seen any reports of users being affected by this attack.