Canonical's Snap Store Restricts Uploads Following Possible Security Issue (snapcraft.io) 29
Yesterday the "temporary suspension" of automatic Snap registrations was announced on Canonical's Snapcraft forum by developer advocate Igor Ljubuncic, after what was described as a "security incident".
On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately...
We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment. We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store. Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
Some background from the Linux blog OMG Ubuntu: This isn't the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid crypto-mining capabilities unbeknownst to users. Not disclosing this in its description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they're disclosed).
In this instance it appears that folks have uploaded apps purporting to be official apps/tools for crypto ledger tool Ledger and these apps were able to get folks backups codes (which people enter thinking it's legit) and ...the bad actors can use that to extract funds.
We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment. We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store. Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
Some background from the Linux blog OMG Ubuntu: This isn't the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid crypto-mining capabilities unbeknownst to users. Not disclosing this in its description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they're disclosed).
In this instance it appears that folks have uploaded apps purporting to be official apps/tools for crypto ledger tool Ledger and these apps were able to get folks backups codes (which people enter thinking it's legit) and ...the bad actors can use that to extract funds.
Re: (Score:2)
While I was still running Ubuntu the first thing I did was remove snap and install Firefox from the PPA. I am completely opposed to the whole idea. But with that said, snaps contain all of the files needed for the program, it's not like the only thing they contain is executables. Static linking doesn't do what snap does.
The problem with malicious snaps is that they are presented by Canonical through an app store. You could have malicious PPAs, but since they are regarded as places to go to get experimental
Re: (Score:2)
I have tried Snap installs several times on Mint and they have never resulted in a usable program. A key problem seems to be referencing configuration settings that are immutable. I can't use a program I can't configure. Another one that seems to plague all snap installs that I have tried recently is not accessing the real file system but a "sandbox" instead, always defaulting (again) to storing or trying to open things in the sandbox. Some programs simply could not be run because some essential configurati
Re: (Score:2)
Because idiots can't figure out static linking.
Nah, you just set LD_LIBRARY_PATH correctly for your application.
Because snaps are so great right? (Score:5, Interesting)
Learning the same lessons over and over (Score:2)
If you're not compiling from source yourself, the binary has to come from someone you trust,
Re: (Score:3)
Re: (Score:1)
Allow me to second that. I cannot trust the snap packagers, so I cannot trust the snaps. I've been migrating my systems to Debian and will now redouble my efforts because of this lapse. Hopefully Canonical will see the error of its ways and remove snaps, but I'm not waiting around for that. Thankfully, Linux gives me options.
I mean you could have just uninstalled the snaps and use ubuntu without it...
Re: (Score:2)
I mean you could have just uninstalled the snaps and use ubuntu without it...
Like I said, Linux gives me options. Since Canonical has broken my trust with snaps, simply removing snaps on my own does nothing to restore that trust. I'm exercising my options, my choices if you will, by leaving Ubuntu behind. Once upon a time, I loved the animal themes and the naked people, but those day are long gone.
Re: (Score:2)
I mean you could have just uninstalled the snaps and use ubuntu without it...
Which is basically Linux Mint.
Re: (Score:2)
>>" you could have just uninstalled the snaps and use ubuntu without it"
>"Which is basically Linux Mint."
Well, not exactly. Mint still has even more going for it than just not forcing snaps. It has native Firefox and other packages that don't force ANY container. Better support for Cinnamon (they made it, afterall). Better software manager. Better themes with easier installation. Better selection of default package installation. More long-term support of some desktops. No corporation behind
Re: (Score:1)
If you're not compiling from source yourself, the binary has to come from someone you trust,
even if you would compile it by yourself you would have to make sure that the source code hasn't been compromised, sc as well as compiler and rest of the building chain etc. doable? yes. is anyone really doing that? no
Re: (Score:2)
If you're not compiling from source yourself, the binary has to come from someone you trust,
Compiling from source is not a panacea. If you don't audit and understand the source, including all dependencies, you are trusting someone else's word that it is clean. It's turtles all the way down, man.
Re: (Score:1)
Re: (Score:2)
If you're not compiling from source yourself, the binary has to come from someone you trust,
Agree
The day the scammy scourge of crypto goes away (Score:2)
Is a day I will celebrate. This has been nothing but an albatross around the necks of the whole industry since introduction.
Re: (Score:2)
The software is supplied as a snap and only Ubuntu can run it.
Re: Linux has no AV software... (Score:2)
Well, there is AV software, but it's not popular.
Further, AV isn't magic and for this scenario (novel app that is phishing), AV won't catch it. AV can deal with malware well known to some central authority. Here, it spread unknown to any central authority and once known, the snap store pulled it.
Re: (Score:2)
As someone new to Linux, one of the things I see is that Linux is that it doesn't have AV software. If it had something like MS's antimalware, stuff like this would be easily caught.
AV is just a part of it. Linux doesn't have any usable way to protect users' data from the mallicious app. so what if an app cannot load a dodgy driver if it can erase/encrypt my photos directory or read my .folders with browser history etc? nor snaps nor flatpaks (not too mention the traditional packages) offer a good sandboxing experience.
Linux distros gave up on proper security (Score:3)
Hygenic Issues Found in Cononical (Score:2)
Because snap is full of shit.
Good thing Mint Linux doesn't use Snaps (Score:2)
Re: (Score:2)
The Cinnamon flavor is my favorite: https://linuxmint.com/ [linuxmint.com]
This is what I run as well. But you can install apps as Snaps but my experiments with doing so to get usable software were uniformly failures. No more.
Re: (Score:2)
Mint is a great desktop distro. It doesn't seem very adaptable to headless workstation / server use, unfortunately, at least without a massive amount of fiddling.
As a former Ubuntu advocate (in the v8-10 days) (Score:2)
I'm so glad I pivoted to Debian years ago. I love Canonical, don't get me wrong...for helping Debian get better hardware support in the early days. But the mentality has always seemed to be to lock people into Ubuntu specifically. And I get it, they're trying to make money. It just sucks that doing that seems to always end badly for the community at large.
Snap is garbage (Score:2)
trash