The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users’ currencies. As a result, engineers at Ubuntu’s parent firm are now manually reviewing apps uploaded to the store before they are available.
The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an “Exodus Wallet” app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).
↫ Kevin Purdy at Ars Tecnhica
Cryptocurrency, or as I like to call it, MLMs for men, are a scammer’s goldmine. It’s a scam used to scam people. Add in a poorly maintained application store like Ubuntu’s Snap Store, and it’s dangerous mix of incompetence and scammers. I honestly thought Canonical already nominally checked the Snap Store – as one of its redeeming features, perhaps its only redeeming feature – but it turns out anyone could just upload whatever they wanted and have it appear in the store application on every Ubuntu installation. Excellent.
Ill just stay out of the fray and simply refuse snaps. Void is the way to go for me personally. Having runit as a default and a great and working build chain is hard to say about any debian derivates that is not debian itself.
Yeah I won’t touch Snap with another person’s computer, let alone mine. The entire idea of a closed source, unauditable, corporate controlled app store for a Linux distro is distasteful and disgusting. It reeks of “just trust me bro” mentality that has no place in the open source community. I’m not surprised in the least that cryptobro scammers were able to use it as a vector.
Void is my distro of choice as well, even though I’m not a developer. It just does what I want and nothing more, it’s easy to understand and maintain, and it runs on everything I need it to: AMD64 workstation and server, Raspberry Pi, and containers.
Don’t use Void on anything at the moment, but I see Void, I upvote.
Thom Holwerda,
That settles it then, osnews distro will be based on void linux 🙂
It would certainly be my choice, along with a BeOS inspired theme and a QNX inspired alternate theme just to really zero in on the core audience here.
What? They were just letting random people upload anything at all to the store, without even the big disclaimer that Mozilla extension store has on unvetted extensions?
Welp, yet another reason if one were needed to instantly uninstall snapd on any Ubuntu install.
It’s rather obvious that such stores can be targeted by threat actors and to succeed, for example i just read on how backdoored xz package made it into Debian. Now what i woudl like to see in the future is for Snap packages, or similar, to become part of a project such as Debian. That is for FOSS to have a maintainer one can trust and for packages created to be available cross Linux distributions. Compared to now on where each distribution needs a maintainer for creating the package from the same source. Canonical and Red Hat in my opinion can have their own app stores, still a store outside their control, for FOSS, that would increase trust and adoption. On where now Snap is a Canonical thingy and Flatpak Red Hat one.