We do often include affiliate links to earn us some pennies. See more here.

Snap store from Canonical hit with malicious apps

By -

Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.

A post on the Snapcraft Discourse forum noted three "Fake Crypto Apps" had appeared on the store, with the user mentioning they "steal funds from user accounts". Canonical reacted pretty quickly removing them, and the packages get replaced with empty ones so that they get updated and removed for anyone who had them installed

Writing a statement Canonical's Igor Ljubuncic said:

On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps.

As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed.

Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.

If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”. Upon a successful manual review from the Snap Store staff, the name will be registered. Uploading and releasing revisions for existing snaps will not be affected.

We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment.

We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.

Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Ubuntu
12 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
44 comments
Page: «2/5»
  Go to:

sprocket Oct 2, 2023
This actually isn't the first time malicious apps have landed on the Snap store, and it won't be the last.

https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware

As others have said, it's only a matter of time before Flatpak experiences the same thing.
Fester_Mudd Oct 2, 2023
Quoting: pleasereadthemanualWait, did Canonical not review Snap packages at all before this?

Of course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)
RFSharpe Oct 2, 2023
View PC info
  • Supporter Plus
When I think of Snap, I immediately think of the American military acronym SNAFU.
Quoting: dziadulewicz
Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
So, what you was suggesting, wasn't said anywhere ..
Canonical is now placing a manual review requirement on all Snaps. Logically, we can conclude that they did not manually review snaps before.

Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)
To me, the above quote suggests that Canonical has never reviewed Snap packages until now.

I'm happy to be corrected.
slaapliedje Oct 2, 2023
Quoting: devlandUncurated packages? Like ARCH's AUR that everybody warns you against using?

Oh, it has the canonical logo slapped on it. That's much better. /$
The huge difference between AUR and snap? You can see exactly what the AUR PKGBUILDs are doing...

They're generally built to snag from the upstream repo that you can verify, it verifies the hash against the tarball release, and you can see in the PKGBUILD if anything is being injected into it after that fact...
slaapliedje Oct 2, 2023
Quoting: BlackBloodRumIt was inevitable. Flatpak will suffer the same too at some point.

They have their conveniences, but they will always come with this risk.
This is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.
poiuz Oct 2, 2023
Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
Different emphasis.

Quoting: pleasereadthemanualI'm happy to be corrected.
There's a review forum.

Quoting: slaapliedjeThis is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.
Labeling doesn't help in such a case. You can steal a wallet's content with almost no system access (network & display are obviously required).

The labels are just a general indicator about the sandbox. Most proprietary applications are unsafe since they don't support Wayland.

But apps like Discord are maintained by known Flathub contributors & should be safe. You can check the build manifests online.
BlackBloodRum Oct 2, 2023
View PC info
  • Supporter Plus
Quoting: slaapliedje
Quoting: BlackBloodRumIt was inevitable. Flatpak will suffer the same too at some point.

They have their conveniences, but they will always come with this risk.
This is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.
That's a recent addition.

The problem is, many people may simply ignore such warnings and use it anyway. But just like anything when it comes to technology, just use common sense and caution, you should be fine.
Mountain Man Oct 2, 2023
The scammers knew their target. Anybody looking for crypto apps is an easy mark.
Fester_Mudd Oct 2, 2023
Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)
To me, the above quote suggests that Canonical has never reviewed Snap packages until now.

I'm happy to be corrected.[/quote]
Honestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away). As they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sure and upvotes from Ubuntu haters on these grounds i mean it's so obvious.

Linux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.