I found that an attacker can send a file with malicious link that can create a RCE through, even in notepad we are able to get the warning window but if in obsidian user has selected to always open links option he will not even get the any alerts while the codes gets executed.
For creating the POC I simply made this
Once I clicked it automatically opens the CMD
A prompt is displayed when you try to open most types of links. The prompt will be made more informative in v1.12.
Right now, you can elect to not get asked every time a link is opened and this choice remembered is based on the protocol of the link.
We will think if there are further ways to improve on this.
We will introduce another layer of checks for executables in 1.12.1.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
