Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.
A post on the Snapcraft Discourse forum noted three "Fake Crypto Apps" had appeared on the store, with the user mentioning they "steal funds from user accounts". Canonical reacted pretty quickly removing them, and the packages get replaced with empty ones so that they get updated and removed for anyone who had them installed
Writing a statement Canonical's Igor Ljubuncic said:
Article taken from GamingOnLinux.com.On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps.
As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed.
Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”. Upon a successful manual review from the Snap Store staff, the name will be registered. Uploading and releasing revisions for existing snaps will not be affected.
We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment.
We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.
Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
dziadulewicz Oct 2, 2023
pleasereadthemanual Oct 2, 2023
dziadulewicz Oct 2, 2023
Quoting: pleasereadthemanualWait, did Canonical not review Snap packages at all before this?
Where did it say that?
ZeroPointEnergy Oct 2, 2023
Repositories where anyone can release packages to the end-users may be convenient for developers who want more control over what the user gets, but it has a host of negative consequences for the user. It always ends in malware and anti-features getting distributed eventually.
officernice Oct 2, 2023
Oh, it has the canonical logo slapped on it. That's much better. /$
pleasereadthemanual Oct 2, 2023
Quoting: dziadulewiczQuoting: pleasereadthemanualWait, did Canonical not review Snap packages at all before this?
Where did it say that?
Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
1. curated
2. uncurated
A few ideas to flesh out the concept
- only curated snaps can be in classic mode,
- only curated snaps have been reviewed at least once.
- There could be a setting for "view uncurated snaps", which is off by default
- Canonical commit to review the top 5 non-curated apps by install base every month, promoting them to curated if they pass or removing them completely and publishing a security advisory otherwise.
- Apps in the curated store should be re-reviewed randomly and on user reports, to catch apps going to the dark side.
This is because if I'm installing a potentially shady app, it's better if it's sandboxed.
BlackBloodRum Oct 2, 2023
They have their conveniences, but they will always come with this risk.
dziadulewicz Oct 2, 2023
Quoting: pleasereadthemanualQuoting: dziadulewiczQuoting: pleasereadthemanualWait, did Canonical not review Snap packages at all before this?
Where did it say that?Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
So, what you was suggesting, wasn't said anywhere ..
Patreon
PayPal
See more from me