Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

  • OsrsNeedsF2P@lemmy.ml
    link
    fedilink
    arrow-up
    29
    ·
    11 months ago

    Neither Canonical"s Snapstore, nor Flathub manually verify apps. They’re both similar to the Play Store or App Store where it’s managed by the app developer.

        • jbk
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          10 months ago

          Since you need to pass a manual review during initial submission of the app, no, you can’t

          • ryannathans@aussie.zone
            link
            fedilink
            arrow-up
            2
            ·
            10 months ago

            A fake malware password manager made it on to Apple’s app store, passed manual review. Manual reviews are not bulletproof

            • jbk
              link
              fedilink
              arrow-up
              1
              ·
              10 months ago

              That’s still not the same as impersonating a known app or developer though

                  • ryannathans@aussie.zone
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    edit-2
                    10 months ago

                    Example of strict manual reviews including source code not catching malware masquerading as existing reputable software, it’s the exact same scenario minus Apple being a commercial entity. Goes to show that even when commercial interests are at stake to keep these malicious apps out, they can still get in. It’s just demonstrating manual reviews aren’t a 100% bulletproof solution, the commenter was saying it’s not possible for malware to get past manual review

    • jbk
      link
      fedilink
      arrow-up
      7
      ·
      10 months ago

      Flathub has manual reviews during initial submission though. Also they’re working on automatically needing a manual review when e.g. new permissions are granted to apps