Is there a way to review plugins?

Hi,

I am asking this because I tried out 2 plugins recently, which offered to sync Kindle highlights to Obsidian by accessing the Amazon website. I was foolish enough to go forward with it in spite my apprehensions. And a few days later (today) I saw money taken from my account by Amazon for items I have not purchased. As I do not believe in coincidences, I am sure that one of the plugin authors somehow stole my credentials (though I am still womdering how, as I have two factor authentication set up and the bank account data is not even visible to me).

Not too much damage was done fortunately in this case, as I detected it on the same day, but I would like to warn people about this. But where would I do this? There seems to be no review possibility at all.

Kind Regards,
Gerhard

Sorry, to hear that.

did you try to contact amazon and ask them how/when these purchases were made?
They should know.

Did you try to contact the plugin authors about this?

Which plugins? Most plugins are open source which will allow you to review it.

I am not so good at Javascript/Typescript to be able to review the code.

It is the obsidian-kindle-plugin and Unearthed (here it would be the chrome plugin which could have gotten access to the payment methods, but he could not get the credential, unless the plugin records the typing).

But it is only the first one which presents a dialog to login to Amazon in an Obsidian window (I had web viewer plugin disabled, so it was not any browser window, which should have warned me). It warns about the credentials being accessible by other plugins and so I tried to log out after the syncing, but I got an error. So I uninstalled the plugin, but after I discovered the fraud, I installed again and saw that the credentials survived the uninstall!

I do not understand how anybody with access to the Amazon site can read out the bank data, as even I when logged in have to reenter the password AND the two-factor code to access it and the account and credit card numbers are starred out. This two-factor authentication was the reason I felt safe even though I had a bad feeling about this.

I asked about this in the discussions area of obsidian-kindle-plugin, but so far nobody has answered.

And I did not find any way so far to contact Amazon about this. If there is they are hiding it perfectly.

I dont see anything malicious in either of those from a quick glance. obsidian-kindle-plugin uses session cookies.

Unearthed looks like it does send creds to their own API endpoints. It is storing the unearthed api creds in your vault that could be taken/read.

Do you sync your vault anywhere else? could your computer be compromised?

Statistically this is a PC problem, not an Obsidian plugin issue.

I’d disconnect the PC from the internet and try a malwarebytes scan.

post the scan results to their forum if you need help.

There’s an issue open on the GitHub repo of the plugin about this : [BUG] Can't sign out of Amazon · Issue #289 · hadynz/obsidian-kindle-plugin · GitHub

And a workaround can be found in the comments of the same issue: here and with a bit more details there

Thank you all for all the replies.

I found out today, when I filled out a form for the bank with the amounts deducted, that it was no fraud at all. All those deductions from the bank account on one day, which panicked me, came from orders a week ago and the amounts were not recognizable because Amazon does partial deliveries and deducts the amount just before each delivery instead on the day of the order. It was deducted all at once because there are no account activities possible over the weekend and everything is delayed to Monday.

It was just the uneasy feeling, that giving the plugins access might not ne a good idea, in combination with those - at that time - unexplained deductions.

I got a response from the author of obsidian-kindle-plugin by the way and I had a look at the code, not that I would really detect any suspicious code. But I believe now that this plugin has no bad intentions.

I also looked at the unearthed-web-extension, which does the scraping of the books on Amazon. Even I can tell that this is not the complete code, just a few files, and it would never build this way. There is no source code to check, unless I am missing something. I think it will be a good idea in the future to listen to my instinct, even if nothing bad happened this time.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.