Hacker News new | ask | show | jobs
by jimrandomh 808 days ago
The project tells people to put a line in their zshrc which fetches and runs a script. To spell out why that's worse than a normal auto-updater would be: it enables the server operators to distinguish users who have installed it in a way where they can serve malware, from users who are downloading it once for inspection purposes. For example, they could serve malware only to IP addresses that have fetched the script every day for a month. Random curious developers and security researchers are very unlikely to do that, but someone who actually put this line in their zshrc would.

This would also explain why it's pointed at the developer's server, rather than a GitHub URL: if it were a GitHub URL, it would be impossible to do malicious substitutions like this.
1 comments
Sylamore 808 days ago
Nevermind that it's possible to detect server-side if the content is being simply downloaded, or piped into a shell for processing so that you can change the content based on the way it's accessed.

http://web.archive.org/web/20240406132938/https://www.idontp... (archive because HSTS and the cert is expired).

link