[BUG] Chatbox-1.3.3-arm64.dmg triggers JS/Agent.OBF false positive?? #1270
Comments
|
@Bin-Huang Can you comment on what exactly is going on?
None of these features/fixes seem to be in the current code at GitHub (v1.3.1...main), so where are they? |
|
It's also bad that the github version offers to update with the version from the site, which has a trojan... |
|
I attach great importance to this issue and am currently investigating its source. |
I am investigating the cause of this issue. Before proceeding, I would like to clarify that the installation packages from the website distribution and Github releases are both from the same Github Actions pipeline. The reason I offer website distribution is purely because in some countries and regions (such as China), downloading from Github releases is extremely slow. |
No Security Issues DetectedI have NOT detected any security issues in all distributions of version v1.3.3 provided on the website using different security software. From ESET: From Avira: Meanwhile, I have checked all potential areas that might have been overlooked. And I searched the Internet for JS/Agent.OBF and didn't find any fully relevant vulnerability disclosures. At present, I believe that the current distribution version of the website does not have any security issues. @fleytman Could you send the file with the warning to [email protected]? That way, I can further determine where this file came from. Answer to the Appeal QuestionWhy is there a release that is not on GitHub?I've been using Github Actions to build and distribute releases. After Github Actions finishes running, it automatically creates a draft in Github Releases, which requires manual editing and confirmation to be publicly displayed. Since I always release new versions late on Sunday nights (developing intensively on Saturdays and Sundays, starting intensive testing at noon on Sunday), each build takes about an hour, and I have missed many drafts that weren't made public... 
In addition, after Github Actions finishes running, it also uploads new installers to my Cloudflare R2 storage, and the website automatically distributes the latest version. This greatly reduces my workload. I'm also using this site to improve the download speed of the installation package in various countries because there are serious network delays when accessing GitHub Releases in some countries. No one has mentioned there being any issue with this before. Why was the license changed - such license change requires permission from all contributors whose code is still present?Oops, it seems my changes were a bit casual, I apologize for my actions. The reason I modified the license is because I recently received an email from a developer who wants to fork this repository and develop new open-source project on top of it. This made me realize that the original license might hinder others' work (although this developer was willing to follow it), so I changed it to the more liberal MIT license to make it easier for other potential developers to work on their own projects. Most of the code was written by me, and initially, it was under the MIT license. I was unaware of the requirements for changing a license, and I apologize again for my actions. 
Why are releases fetched from "https://pub-0f2a372de68244aabdee60c9d82c4c6c.r2.dev/"?As I mentioned above, this is my Cloudflare R2 storage bucket, which facilitates the release of new versions and allows people from various countries to download at faster speeds. FinallyI've always kept an eye on security issues with vigilance and precaution during the development and maintenance phase, and my professional expertise and competence (as a senior software engineer) enable me to develop secure and reliable software. Emotionally, I've devoted a year of intensive work to this project, spending all my spare time here, and I'm the last person who would want anything to go wrong with it. I have scanned the installation packages offered by the website and used different security software, but haven't found any problems. I believe the software is secure enough. |
Bin-Huang
changed the title
|
Glad to hear everything's in order, and my questions were aimed at understanding the situation for everyone's peace of mind. Thank you for addressing the concerns. Appreciate your quick response! |
|
@Bin-Huang Good afternoon, thanks for the reply. I checked the macOS version yesterday via virustotal but found nothing. Today I decided to check the vindos version and nod32 trojan is found: Maybe it's false detection, maybe not. Maybe you should contact eset for more details. For example on their forum https://forum.eset.com/. screenshot
From what I've found on the topic P.S. |
|
@Bin-Huang, I understand your interest in transitioning the Chatbox project to an MIT license, which undoubtedly can facilitate the software's integration and use in commercial projects. However, I would like to address the importance of GPL3 for the current and future developer community of your project. Switching to an MIT license may require consent from all contributors who have contributed under GPL3. This is not only a legal necessity but also a matter of respecting and valuing their contributions. Therefore, I recommend that you first reach out to each contributor to obtain permission for such a change. Furthermore, have you considered dual licensing? This would allow for the spirit of open source, protected by GPL3, to be maintained while also offering a more flexible MIT approach for those interested in commercial use. Dual licensing would enable the community to continue developing forks of your project strictly within the GPL3 framework, which may be important for those who value the principles of open source and wish to see their contributions remain free and accessible to all. This approach could serve as a compromise that satisfies both open-source advocates and those seeking easier paths to commercialization. |
|
Thank you for your suggestions. I have reverted the changes made to the license, rolling it back to GPL. Moving forward, I will seriously consider a dual-license approach. Given that other contributors' code makes up a small part of the project, and much of it is outdated, the transition to a dual licensing model may go smoothly. I want to return to the initial issue of security warnings that we discussed. I'll keep this GitHub issue open for a while to see if there is any follow-up or if anyone else encounters a similar situation. After that period (a few months), I might close this issue to streamline management. In this age of rapid iteration of AI/LLM technologies, maintaining such an open-source project is indeed an urgent and hefty task. Thank you very much for your understanding. |
|
1.3.4 virus total without trojan https://www.virustotal.com/gui/file/70b1e78c8bb7cf00f17a7a2e6f3a984cb46e12bf81ee8dd19c573dec96d5ce81 How I can disable autoupdate in chatbox app? |
|
@Bin-Huang hi! 
|
|
@Bin-Huang and could you please tell me how I could disable automatic updates of Chatbox to avoid similar problems in the future? |
@Bin-Huang I am also one of the happy user that is currently on 1.3.3, thus concerned about the situation. Thanks for all the explanation, it really helps clearing things up. However, I haven't found any explanation on why the code for 1.3.3 is not on Github. And if it is possible to push the 1.3.3 code in the github so others can reproduce the binary to check where the problem is? |
|
Here is the v1.3.3 version that I supplemented in GitHub Actions (I just made it public with a click), hoping it will be useful to those in need. |
|
Sorry, I may have misunderstood something. But this tag points to 32f196a , which is the change to revert the license back to GPL from MIT on April 2? |
There is information regarding this in #803 (comment). |
|
Here, I'd like to further elaborate on the security-related work I did in v1.3.4: From gathering information from various angles, I've realized that mainstream security scanning software (e.g., Windows Defender) can sporadically flag false positives—a low probability, unpatterned event. By "unpatterned," I mean that while individual users might encounter a false alert with the same installer, most others do not experience any issues. This sort of false positive is even more common in open-source software. Here's a Google search of a false positive case in an open-source project on GitHub: https://www.google.com/search?q=site%3Agithub.com+Wacatac.b!ml+trojan False positives from security scanning software are not isolated incidents, with many open-source projects falling victim to this, including highly reputable ones like ollama and vscode-go. Numerous developers are voicing their frustration over this. To minimize the occurrence of these false flags by security scans, I've learned a couple of lessons from various cases:
These methods merely reduce the chances of false positives as much as possible. For instance, even after releasing v1.3.4, I still received a tweet from a user who encountered a security false positive with the new version. To sum it up, I want to say that Windows is not friendly to open-source software and independent developers. Whether it's the financial cost of certificates, the disheartening two days spent trying to get the certificate to work properly on GitHub Actions, or the exhaustive search and troubleshooting for the cause of these false positives... As I read in a Reddit comment, the development environment on Windows is bad, and it's only getting worse... |
|
Sorry, I accidentally closed the issue just now. |
|
Here I attach the message discussed on Twitter. 
...and the link mentioned in the message: |
I recommend making a separate announcement that you had to spend money on the certificate, stating how much it cost and a link for donations |
Bin-Huang
changed the title
|
Just like we discussed before, it's more likely a false positive from all aspects now. To better manage the issues, I've closed it for now. |
Bug Description
ESET Endpoint security found
But the latest version Chatbox-1.3.1-arm64.dmg on github doesn't show any trojans.
P.S. I see that just before the 1.3.3 version the license was changed to MIT. It is very alarming that a version with a trojan appears right after that.
The text was updated successfully, but these errors were encountered: