Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

  • OsrsNeedsF2P@lemmy.ml
    link
    fedilink
    arrow-up
    29
    ·
    9 months ago

    Neither Canonical"s Snapstore, nor Flathub manually verify apps. They’re both similar to the Play Store or App Store where it’s managed by the app developer.

        • jbk@discuss.tchncs.de
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          9 months ago

          Since you need to pass a manual review during initial submission of the app, no, you can’t

          • ryannathans
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            A fake malware password manager made it on to Apple’s app store, passed manual review. Manual reviews are not bulletproof

              • ryannathans
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                9 months ago

                That’s exactly what they did, imitated lastpass or something

                  • ryannathans
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    edit-2
                    9 months ago

                    Example of strict manual reviews including source code not catching malware masquerading as existing reputable software, it’s the exact same scenario minus Apple being a commercial entity. Goes to show that even when commercial interests are at stake to keep these malicious apps out, they can still get in. It’s just demonstrating manual reviews aren’t a 100% bulletproof solution, the commenter was saying it’s not possible for malware to get past manual review

    • jbk@discuss.tchncs.de
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      Flathub has manual reviews during initial submission though. Also they’re working on automatically needing a manual review when e.g. new permissions are granted to apps