Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.
A post on the Snapcraft Discourse forum noted three "Fake Crypto Apps" had appeared on the store, with the user mentioning they "steal funds from user accounts". Canonical reacted pretty quickly removing them, and the packages get replaced with empty ones so that they get updated and removed for anyone who had them installed
Writing a statement Canonical's Igor Ljubuncic said:
Article taken from GamingOnLinux.com.On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps.
As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed.
Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”. Upon a successful manual review from the Snap Store staff, the name will be registered. Uploading and releasing revisions for existing snaps will not be affected.
We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment.
We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.
Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
Some you may have missed, popular articles from the last month:
Quoting: Fester_MuddYou know, in the space it took to be bitchy, you could have told us all what this google search would reveal to us.Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)Quoting: pleasereadthemanualTo me, the above quote suggests that Canonical has never reviewed Snap packages until now.
I'm happy to be corrected.
Honestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away). As they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sureand upvotes from Ubuntu haters on these grounds
i mean it's so obvious.
Linux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....
Last edited by Purple Library Guy on 2 October 2023 at 11:58 pm UTC
3 Likes, Who?
pleasereadthemanual Oct 3, 2023
Quoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).
It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.
Quoting: Fester MuddAs they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. SureIt's generous of you to assume I'm lying to create drama.
What exactly makes this manual review special compared to whatever Canonical was doing before? I've read it several times, yet I do not understand what difference you are suggesting there is.
Quoting: Fester MuddLinux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....You mean, my assumption based on reading a 198-word announcement from Canonical themselves? I didn't assume anything. I asked an open question to anyone who did know whether my understanding of the announcement was true.
I read GamingOnLinux because I don't have endless free time to research topics in-depth (particularly those that are only peripherally related to me), and occasionally I rely on other users to teach me things. I've learned a lot from members in this community and had some productive and interesting discussions.
I spent several minutes using a search engine to look this up. The best I could find was this: https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460
There is this page, too, which vaguely suggests that Snapcraft will run automated reviews for some packages and manual reviews for other packages: https://ubuntu.com/core/services/guide/snap-publishing
Quoting: CanonicalUploaded snaps undergo automated and manual review processes, depending on the security profile of the snap. Snaps are checked by Canonical’s snap reviewer team to ensure that they are safe to use.Putting the two together, some sort of automated testing was run for all Snap packages that did not use the "classic" profile.
Quoting: poiuzDifferent emphasis.Could you explain what you are trying to imply by emphasizing this section? "on all new" suggests they weren't doing it before, either. Perhaps you meant to emphasize all, to imply they were manually reviewing some packages?
Quoting: poiuzThere's a review forum.I assume you're referring to this: https://forum.snapcraft.io/c/store-requests/19
Looking through some old manual review requests, it seems they occur when the Snap package asks for more permissions than expected: https://forum.snapcraft.io/t/manual-review-for-udisks2/36633
There were about 15 manual review requests this year. This one is interesting: https://forum.snapcraft.io/t/request-for-manual-review-of-the-last-brave-releases/35498
Just because it is manually reviewed the first time does not mean that all subsequent releases are automatically approved.
Here's another request for review where the requester expresses discontent about the time it takes to review their packages: https://forum.snapcraft.io/t/manual-review-request-for-several-kde-apps-long-delays/34628
So, going back to the original article, Snapcraft felt the right move was to institute manual review for all Snaps. This suggests the 3 malicious Snaps were automatically approved without manual review. From this, we can conclude that the Snaps did not ask for too many permissions, and yet they were still able to act maliciously. Determining which Snaps to review manually based on permissions, then, is not viable; regardless of what permissions the Snap has, it can potentially cause harm.
Snapcraft also did not take this decision lightly, as they could not cope well with the amount of manual reviews already. This still seems to me like the right decision based on my understanding so far.
1 Likes, Who?
BlackBloodRum Oct 3, 2023
Quoting: pleasereadthemanualYou know, now that you mention it, I take offence too! It's offensive to people who read it, and then get offended because they can't read!Quoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).
It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.
I suppose it could be worse, as RTFM
(This post is a joke, don't take it seriously, just trying to lighten the mood a bit.)
1 Likes, Who?
Quoting: slaapliedjeThe huge difference between AUR and snap? You can see exactly what the AUR PKGBUILDs are doing...
They're generally built to snag from the upstream repo that you can verify, it verifies the hash against the tarball release, and you can see in the PKGBUILD if anything is being injected into it after that fact...
Yeah, the issue is the combination of AUR-Helpers (or even integrating AUR into the graphical package manager...looking at you, manjaro...) and Arch-based distros targeting 'beginners'.
I don't want to sound elitist, but the concept of the AUR is fine in the context of Arch and its intended userbase. At least it's more likely that 'real' Arch users actually read and understand the PKGBUILD before installing/updating.
But of course now with more and more people just blindly installing AUR-Packages it's becoming more attractive to malware-scum and it's only a matter of time that we'll get some more malicious packages there i fear...
0 Likes
BlackBloodRum Oct 3, 2023
Quoting: TermyI don't want to sound elitist, but the concept of the AUR is fine in the context of Arch and its intended userbase. At least it's more likely that 'real' Arch users actually read and understand the PKGBUILD before installing/updating.Anybody using Arch, whether they are technically skilled or not, is a "real" Arch user.
I know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.
0 Likes
Fester_Mudd Oct 3, 2023
Quoting: pleasereadthemanualQuoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).
It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.
Quoting: Fester MuddAs they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. SureIt's generous of you to assume I'm lying to create drama.
What exactly makes this manual review special compared to whatever Canonical was doing before? I've read it several times, yet I do not understand what difference you are suggesting there is.
Quoting: Fester MuddLinux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....You mean, my assumption based on reading a 198-word announcement from Canonical themselves? I didn't assume anything. I asked an open question to anyone who did know whether my understanding of the announcement was true.
I read GamingOnLinux because I don't have endless free time to research topics in-depth (particularly those that are only peripherally related to me), and occasionally I rely on other users to teach me things. I've learned a lot from members in this community and had some productive and interesting discussions.
I spent several minutes using a search engine to look this up. The best I could find was this: https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460
There is this page, too, which vaguely suggests that Snapcraft will run automated reviews for some packages and manual reviews for other packages: https://ubuntu.com/core/services/guide/snap-publishing
Quoting: CanonicalUploaded snaps undergo automated and manual review processes, depending on the security profile of the snap. Snaps are checked by Canonical’s snap reviewer team to ensure that they are safe to use.Putting the two together, some sort of automated testing was run for all Snap packages that did not use the "classic" profile.
Quoting: poiuzDifferent emphasis.Could you explain what you are trying to imply by emphasizing this section? "on all new" suggests they weren't doing it before, either. Perhaps you meant to emphasize all, to imply they were manually reviewing some packages?
Quoting: poiuzThere's a review forum.I assume you're referring to this: https://forum.snapcraft.io/c/store-requests/19
Looking through some old manual review requests, it seems they occur when the Snap package asks for more permissions than expected: https://forum.snapcraft.io/t/manual-review-for-udisks2/36633
There were about 15 manual review requests this year. This one is interesting: https://forum.snapcraft.io/t/request-for-manual-review-of-the-last-brave-releases/35498
Just because it is manually reviewed the first time does not mean that all subsequent releases are automatically approved.
Here's another request for review where the requester expresses discontent about the time it takes to review their packages: https://forum.snapcraft.io/t/manual-review-request-for-several-kde-apps-long-delays/34628
So, going back to the original article, Snapcraft felt the right move was to institute manual review for all Snaps. This suggests the 3 malicious Snaps were automatically approved without manual review. From this, we can conclude that the Snaps did not ask for too many permissions, and yet they were still able to act maliciously. Determining which Snaps to review manually based on permissions, then, is not viable; regardless of what permissions the Snap has, it can potentially cause harm.
Snapcraft also did not take this decision lightly, as they could not cope well with the amount of manual reviews already. This still seems to me like the right decision based on my understanding so far.
Now, again you assume much. Why do you keep doing this. You now assume i took offence of your name. No, no, no. I pointed out that you assumed that Canonical does not review at all as they're now taking extra special measures by manually reviewing and your name suggests you're an avid researcher, you know? How can you suggest i accused you of LYING also, when you just asked about it. Please don't dramatize
you know full well i did not make you appear like a liar.They have always reviewed in their limited ability. How could Canonical possibly just think "let all in without any reviews, yeah!". Just no. Maybe google is avoiding you but also Alan Pope talked about the curation of Snap Store.
0 Likes
Quoting: BlackBloodRumAnybody using Arch, whether they are technically skilled or not, is a "real" Arch user.
That's why i put that in quotes. ;)
Like i said, i don't want to be elitist and i'm totally rooting for distros like Manjaro, EndeavourOS and the like - just not in case of the AUR.
Quoting: BlackBloodRumI know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.
I know - that doesn't mean that that is a good thing or advisable.
1 Likes, Who?
BlackBloodRum Oct 3, 2023
Quoting: TermyIndeed, AUR is very much a "use at your own risk" kind of deal.Quoting: BlackBloodRumAnybody using Arch, whether they are technically skilled or not, is a "real" Arch user.
That's why i put that in quotes. ;)
Like i said, i don't want to be elitist and i'm totally rooting for distros like Manjaro, EndeavourOS and the like - just not in case of the AUR.
Quoting: BlackBloodRumI know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.
I know - that doesn't mean that that is a good thing or advisable.
But then that's where general computing common sense comes in: How well do you trust the source.
The problem with AUR is, for a new user at least; is it provides a false sense of security. Unlike the regular distribution packages there is a much lower level of validation, so it is possible for AUR to have dangerous packages. Even experienced users may only check a few PKGBUILDs, found they're safe, continue to use it however neglecting to check further.
New users may ask where do I get XYZ? If it's not in the main repos, or available as a Flatpak. If it's in AUR then they'll be instructed to go get it from there. That may be the first time that user has even heard of AUR, so they'll assume it's safe, I mean people wouldn't recommend something dangerous, right?
I should be clear, I'm in agreement with you here. That is, the user should learn to check things. But then that's easier said than done when we're talking about people who may only be using Linux for the first time. The warnings just need to be amplified a bit when it comes to third-party minimally checked stuff (whether that's a flatpak, snap, aur, whatever).
(As for elitism, which distro is best etc.. let's not go there... that topic has been had far too many times, and beaten to death.)
1 Likes, Who?
pleasereadthemanual Oct 3, 2023
Quoting: Fester MuddNo, no, no. I pointed out that you assumed that Canonical does not review at all as they're now taking extra special measures by manually reviewing [...] How can you suggest i accused you of LYING also, when you just asked about it. Please don't dramatize
I didn't assume that. If I assumed that, I might have said:
Quoting: pleasereadthemanualWell, that's about what you'd expect when you don't review packages.I phrased it as a question. I was asking for confirmation. It was not rhetorical. I made it clear this was not rhetorical in my follow-up comment.
You seem to have taken that as me intentionally pretending not to know (lying, or gaslighting, if you prefer; there was clearly an element of deception you were implying) that Snapcraft obviously reviews packages in an attempt to instigate drama. I mean, how could I be honestly suggesting that the phrase temporary manual review might mean that manual review is something that isn't done normally?
I would appreciate if you had done me the courtesy of assuming good faith.
Quoting: Fester Muddand your name suggests you're an avid researcher, you know?I'll give you that one. Though, since we've both dramatically misinterpreted each other's comments now, I'll go ahead and call us even
Although, in the Arch forums, users might respond with a link that answers the question and nothing else
Maybe I should have gone with pleasegivemethemanual.
Anyway, sorry; I shouldn't have reacted emotionally.
Quoting: Fester MuddMaybe google is avoiding you but also Alan Pope talked about the curation of Snap Store.I can't seem to find this article on his blog.
0 Likes
Quoting: BlackBloodRumBut then that's easier said than done when we're talking about people who may only be using Linux for the first time.And that is exactly why i don't think its a good idea for beginner-friendly arch-derivatives to make AUR easily accessible.
Quoting: BlackBloodRumThe warnings just need to be amplified a bit when it comes to third-party minimally checked stuff (whether that's a flatpak, snap, aur, whatever).Indeed - although that problem is pretty much the same as with the 'normal' windows madness of downloading and running random .exe files that most people have internalized so well...^^
1 Likes, Who?
Patreon
PayPal
See more from me