Announcement

Collapse
No announcement yet.

Malicious Apps on the Snap store

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Malicious Apps on the Snap store

    https://www.gamingonlinux.com/2023/1...alicious-apps/


    Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.

    A post on the Snapcraft Discourse forum noted three "Fake Crypto Apps" had appeared on the store, with the user mentioning they "steal funds from user accounts". Canonical reacted pretty quickly removing them, and the packages get replaced with empty ones so that they get updated and removed for anyone who had them installed

    Writing a statement Canonical's Igor Ljubuncic said:
    On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps.

    As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed.

    Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.

    If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”. Upon a successful manual review from the Snap Store staff, the name will be registered. Uploading and releasing revisions for existing snaps will not be affected.

    We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment.

    We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.

    Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.

    Users noticed, not Canonical. They should make a system where packages are curated

    #2
    Originally posted by Bings View Post
    They should make a system where packages are curated
    Lol, do you want to do that?
    Actually, it sounds a little fun, if the pay was right

    They were doing that in the past, but the creators were complaining about long wait times for approvals
    Flatpak is no different here, tbh. There are tons of unofficial flatpaks not produced by the actual projects (and not necessarily sanctioned by them), for example.
    Similar things are entirely possible from PPAs, or (iirc) Opensuse OBS service/Fedora's COPR, and I assume Flatpak.
    Last edited by claydoh; Oct 02, 2023, 04:35 PM. Reason: were did mah eemogees go?

    Comment


      #3
      Originally posted by claydoh View Post
      They were doing that in the past, but the creators were complaining about long wait times for approvals
      And you don't see a problem with that line of thought? It means they made a deliberate choice to sacrifice user security to remove an inconvenience from snap app developers (and malware developers). It should be obvious something like this would happen...and will continue to happen.

      Originally posted by claydoh View Post
      Flatpak is no different here, tbh. There are tons of unofficial flatpaks not produced by the actual projects (and not necessarily sanctioned by them), for example.
      Similar things are entirely possible from PPAs, or (iirc) Opensuse OBS service/Fedora's COPR, and I assume Flatpak.
      And are any of these software sources enabled by default, without user interaction (where the user gets the chance to review the trustworthiness of the source,)? This is more comparable to having malware in the main repos than in any external source.

      It wasn't that long ago, when people raved about how great it is to get everything from one *curated* trustworthy snap store.

      Comment


        #4
        My point is that all these sources have somewhat similar vetting process, and is not intended to be supporting (or not) for any of these formats.

        Some distros force flatpak, but that is sort of immaterial. Some janky crypto software could just as easily get uploaded to flathub, and a user convinced to install it, just as what happened in this case.

        But I do think that non-free software in any of these formats should require some increased levels of scrutiny, no matter the platform. But then I also note that two of the three applications the user reported to Snap seem to be open source, with one having a flatpak that does not seem to be official.
        Last edited by claydoh; Oct 03, 2023, 06:38 AM.

        Comment


          #5
          Flathub appears to manually review additions. Snap from what they themselves said in the article weren't doing that prior to the incident.

          Comment

          Working...
          X