惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
Recorded Future
Recorded Future
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The GitHub Blog
The GitHub Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
Y
Y Combinator Blog
N
News | PayPal Newsroom
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Help Net Security
Help Net Security
博客园 - Franky
SecWiki News
SecWiki News
Recent Announcements
Recent Announcements
T
Troy Hunt's Blog
The Register - Security
The Register - Security
The Last Watchdog
The Last Watchdog
Webroot Blog
Webroot Blog
S
Security Affairs
博客园 - 司徒正美
S
Schneier on Security
I
InfoQ
博客园_首页
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Forbes - Security
Forbes - Security
腾讯CDC
N
Netflix TechBlog - Medium
N
News and Events Feed by Topic
Cloudbric
Cloudbric
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
A
About on SuperTechFans
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
B
Blog
V
Vulnerabilities – Threatpost
C
Check Point Blog
Google DeepMind News
Google DeepMind News
Google Online Security Blog
Google Online Security Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
Schneier on Security
Schneier on Security
O
OpenAI News
K
Kaspersky official blog

Obsidian Blog

Obsidian Sync audits by Cure53 and Trail of Bits The future of Obsidian plugins Obsidian October 2025 Less is safer: how Obsidian reduces the risk of supply chain attacks Obsidian is now free for work 2024 Gems of the year winners 2024 Gems of the year nominations Obsidian Softwear: new Fractal t-shirts and hoodies Save the web Obsidian October 2024 Obsidian Sync now starts at $4 per month with the new Standard plan Announcing JSON Canvas: an open file format for infinite canvas data 2023 Gems of the year winners New security page and independent audit completed by Cure53 2023 Gems of the year nominations New Obsidian Sync plans: bigger, better, faster, smoother Goodbye legacy editor Obsidian Importer now converts Apple Notes to portable, durable files Obsidian October 2023 Free your notes How to verify Obsidian Sync's end-to-end encryption The new Obsidian icon New developer documentation site Obsidian Publish now offers more for less: a lower price, with new features, improved SEO and accessibility 2022 Gems of the year winners I’m joining Obsidian full-time as CEO New Code of Conduct for our community 2022 Gems of the year nominations Obsidian October 2022 winners Obsidian October 2022 1.0 Theme migration guide How to update your plugin to support pop-out windows Plugin developers: CodeMirror 6 migration guide for v6.0 2021 Gems of the year winners Live Preview update 2021 Gems of the year nominations Obsidian October 2021 winners Obsidian October 2021: make plugins and themes together and win awards! Last chance to get early bird discount for Sync and Publish 2020 Gems of the year winners 2020 Gems of the year nominations
Second audit of Obsidian apps completed by Cure53
kepano · 2024-12-23 · via Obsidian Blog

Early this year we shared our new Security page and first independent audit of Obsidian, coinciding with the release of Obsidian 1.5.3. Since then we’ve made numerous improvements to Obsidian.

Continuing our commitment to security and privacy, we asked the Berlin-based security firm Cure53 to perform a second penetration test and source code audit of the Obsidian apps, across all platforms. Special attention was given to hardening the new Web viewer plugin ahead of its first release.

We invite you to read a summary of the findings and the full report.

We were pleased to hear from Cure53 that incremental updates since Obsidian 1.5.3 maintained the highest degree of attention to security. No new vulnerabilities were found in public versions of Obsidian. Quoting from the summary:

The security standing of the Obsidian client component has improved since the previous audit, as evidenced by the identification of only a single rather serious vulnerability, which addresses a new browser webview feature (see DYL-03-007).

Particular emphasis was placed on hardening the Web viewer plugin during its development process, to ensure it would pass our strict security standards.

The new web viewer plugin implementation was carefully analyzed for common security pitfalls of the WebViews components, with the focus on its Electron interactions. The WebView tag configuration was inspected for security misconfigurations. The implementation neither utilizes any custom and potentially vulnerable webpreferences configuration, nor enables unsafe and dangerous attributes like nodeintegration or disablewebsecurity.

The project concluded in October 2024 and identified six vulnerabilities primarily related to unreleased versions of Web viewer. Fixes were incorporated into the first version of Web viewer in Obsidian 1.8.0, which was released to early-access users on December 18th, 2024.

We’re proud to report that the Cure53 team reviewed the resolutions and concluded that their recommendations have been properly followed. From the report summary:

Concluding, it needs to be highlighted that Obsidian’s swift response to address the identified issues of this audit demonstrates their commitment to ensuring a good level of security for their client. By continuing to monitor for new vulnerabilities and taking proactive measures to address them, Obsidian can further strengthen the security posture of their client component.

We look forward to publishing more security audits and updates, so you can continue to feel confident trusting Obsidian apps and services.