Steps to reproduce
I found that an attacker can send a file with malicious link that can create a RCE through, even in notepad we are able to get the warning window but if in obsidian user has selected to always open links option he will not even get the any alerts while the codes gets executed.
For creating the POC I simply made this
Once I clicked it automatically opens the CMD
Did you follow the troubleshooting guide? [Y/N]
Expected result
Actual result
Environment
Additional information
A prompt is displayed when you try to open most types of links. The prompt will be made more informative in v1.12.
Right now, you can elect to not get asked every time a link is opened and this choice remembered is based on the protocol of the link.
We will think if there are further ways to improve on this.
1 Like
We will introduce another layer of checks for executables in 1.12.1.
1 Like
