zlacker

[parent] [thread] 4 comments
1. metalc+(OP)[view] [source] 2026-02-02 03:00:52
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
replies(2): >>tgsovl+g2 >>mapont+YT
â—§
2. tgsovl+g2[view] [source] 2026-02-02 03:21:20
>>metalc+(OP)
From the Heise article:

> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“

It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.

replies(1): >>kevin_+r4
◧◩
3. kevin_+r4[view] [source] [discussion] 2026-02-02 03:47:39
>>tgsovl+g2
Notepad++ has way too many updates for a text editor. I purposely decline most of the nags to update for precisely this reason. It is too juicy of a target and was bound to get compromised.
replies(1): >>lukan+Yy
◧◩◪
4. lukan+Yy[view] [source] [discussion] 2026-02-02 09:34:35
>>kevin_+r4
Well, some people use it as a IDE, so there are more feature they need. But I am not sure if a less frequent update routine would be safer.
â—§
5. mapont+YT[view] [source] 2026-02-02 12:46:56
>>metalc+(OP)
It would still have been less than ideal, but he might have gotten away with it if the private key wasnt stored within the public Github repo.
[go to top]