Former Canonical Developer Advocate Warns Snap Store Isn't Safe After Slow Responses to Malware Reports (linuxiac.com) 15
An anonymous reader shared this article from the blog Linuxiac
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher... [warns of] a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
The perpetrators had originally used similar-looking characters from other alphabets to mimic other app listings, then began uploading "revisions" to other innocuous-seeming (approved) apps that would transform their original listing into that of a fake crypto wallet app.
But now they're re-registering expired domains to take over existing Snap Store accounts, which Pope calls "a significant escalation..." I worked for Canonical between 2011 and 2021 as an Engineering Manager, Community Manager, and Developer Advocate. I was a strong advocate for snap packages and the Snap Store. While I left the company nearly five years ago, I still maintain nearly 50 packages in the Snap Store, with thousands of users... Personally, I want the Snap Store to be successful, and for users to be confident that the packages they install are trustworthy and safe.
Currently, that confidence isn't warranted, which is a problem for desktop Linux users who install snap packages. I report every bad snap I encounter, and I know other security professionals do the same — even though doing so results in no action for days sometimes... To be clear: none of this should be seen as an attack on the Snap Store, Canonical, or the engineers working on these problems. I'm raising awareness of an issue that exists, because I want it fixed... But pretending there isn't a problem helps nobody.
The perpetrators had originally used similar-looking characters from other alphabets to mimic other app listings, then began uploading "revisions" to other innocuous-seeming (approved) apps that would transform their original listing into that of a fake crypto wallet app.
But now they're re-registering expired domains to take over existing Snap Store accounts, which Pope calls "a significant escalation..." I worked for Canonical between 2011 and 2021 as an Engineering Manager, Community Manager, and Developer Advocate. I was a strong advocate for snap packages and the Snap Store. While I left the company nearly five years ago, I still maintain nearly 50 packages in the Snap Store, with thousands of users... Personally, I want the Snap Store to be successful, and for users to be confident that the packages they install are trustworthy and safe.
Currently, that confidence isn't warranted, which is a problem for desktop Linux users who install snap packages. I report every bad snap I encounter, and I know other security professionals do the same — even though doing so results in no action for days sometimes... To be clear: none of this should be seen as an attack on the Snap Store, Canonical, or the engineers working on these problems. I'm raising awareness of an issue that exists, because I want it fixed... But pretending there isn't a problem helps nobody.
Who'd have thought... (Score:5, Insightful)
... that bypassing the long established and fairly well working path of distributions with something that's essentially "download a binary and run it" with no actual reviews could actually lead to something that's less secure than what you had before.
Re:Who'd have thought... (Score:4, Interesting)
Neither option is very good. Linus spoke about how much effort is wasted in traditional repos, and how they cause version and dependency issues. That's part of the reason why things like Docker are so popular.
Snaps may be crap, but so are all the other options.
Re:Who'd have thought... (Score:4, Insightful)
It's not difficult to avoid installing a fake clone program, but the automatic updating by default presents an enormous attack surface. Disable auto-updating:
snap refresh --hold
Re:Who'd have thought... (Score:4, Interesting)
Or just don't use Snap at all, one of several reasons I run Mint on my machines. And even Mint is, unfortunately, relying on containerized packages for a significant portion of software from Ubuntu repos. But at least Mint provides native packages for all of the important stuff (Firefox, LibeOffice, GIMP, Audacity, VLC, Geeqie, Okular, Thunderbird, Pluma, Guvcview, Kdenlive, Wine, Meld, Claws, etc).
It is likely either LMDE (Linux Mint Debian Edition) or just plain Debian is in my future, though.
Re: (Score:2)
There were more docker images with Bitcoin miners than Debian packages with Bitcoin miners.
Re: (Score:2)
Snaps, Flatpaks, AppImages and such solve a particular problem - how to universally package a Linux app. As in if you want to release a piece of software for as many distributions as possible, these methods are the "universal" method to work in basically all Linux distributions.
Docker solves a slightly different problem but it too can be used to solve the issue. Docker is a userspace "virtualization" format which lets you create a custom userspace necessary for your program. Some programs have dependencies
Re: (Score:2)
Indeed. But people are stupid and not capable of seeing what the "shiny new thing" actually is.
No shit, Sherlock (Score:3)
Re: (Score:2)
Money money money (Score:3)
Curating a store or package repository in general takes lots of effort, I don't think volunteers can hack it in today's environment. Snaps and flatpacks are the biggest target, but this could just as easily happen for distro packages. Only Apple makes that kind of money from the store itself to pay for it.
For Linux on the desktop to escape hobbyism you need complete ecosystems with large revenue streams. Like Google, but I think it's possible without it being quite so closed. Ideally Valve would buy Ubuntu and launch a Chromebook-like certification program for Steam phones, laptops and PCs.
Why was Linux more secure than Windows? (Score:2)
One of the main aspects why Linux systems were more secure than Windows were people taking responsibility. If I install a package from my distribution, the maintainer is responsible for it. If the upstream does not fix a security bug, the maintainer may disable the affected feature altogether, because he takes the responsibility for the package being safe
If the vendor uploads an own package to snap or flatpak, there is no person from my trusted distribution responsible, but I am trusting a vendor I
I guess it still needs to be said... (Score:2)
Corruption? In an unregulated market?? I'm shocked, shocked I tell you!
Why is this even a story? It's less uncommon these days than "dog bites man".
One of the reasons I recently switched to FreeBSD (Score:2)
Package management seems better. At least for my needs.
Not so much snap this, flatpack that, docker something else.
Nothing is perfect, but FreeBSD makes a better desktop than many people might expect.
That's odd... (Score:2)
In my experience traditional package-based, repo-based Linux applications have a very small chance of being infected by malware. Since Ubuntu manages the Snap Store, why can't they apply the same vetting process that has kept the traditional repos so safe for so many years?
I totally get the hate for stand-alone applications and the love for package-based ones. But I LIKE the ability to run stand-alone executables. I don't want the majority of my system to be that way, but sometimes there's a program - or a