Already removed.
Really nice snap from Ethan Carter good that it finally vanished.
Hi @popey,
Thank you for reporting this snap. It has been removed from the Snap Store.
Kind regards,
Holly
Does this mean that this snap has passed somehow the manual verification mentioned here?
I really hope that all possible details will be revealed later about how this even began to happen. To be honest, after all statements and after this incident, my family and I who use Snap Store time-to-time no longer feel safe…
Hi ! @milachew .
If snap store
is less secure, what about other application platforms or programs that we find here and there?
snap store
is one of the safest ways (if not the safest way) in terms of application security for an operating system.
The concept of sandboxing
and all the algorithms that can abound around it provide endless possibilities for security within an operating system.
And yet there are time and time again malicious snaps in the store.
I don’t know how that manual review works, but clearly it doesn’t work. This is all very bad and unprofessional from Canonical. You would think that any crypto snap would be the first one to check.
I’m really dissapointed by all of this, and I’m sure that there are many others.
And all of that snadboxing means jack shit in cases like this one.
Hi ! @Recydywa .
It should still be noted that human resources are not unlimited.
However, the tasks to be carried out seem endless.
The guys, they do a gargantuan and eminently relevant job.
I perpetually thank them for their philanthropy, their dedication … .
Sure right the human resources are finite.
But there was supposedly manual review process for snaps, and with that I thought that each snap has to be first reviewed. And only after that it can go live in the store.
So how is it possible that there are still scam crypto apps published.
Also what happend to that:
Next week, we will be publishing a policy regarding crypto-wallet and other sensitive snaps. This will include the guidelines for how to publish such a snap. These changes are evolving over time. We do not expect this to be a long-term solution and will post in the forums as new updates are made.
I don’t see anything about that in the policy section of snapcraft forums. Already 19 days have passed since that, so were way past next week.
Try to immerse yourself in this ecosystem, things are not that direct, things are not that simplistic.
Yes ! there is a lot to do.
Yes ! there is a lot to improve.
But all the same, this incident can in no way compete with the work accomplished so far.
Of course, a system of this size is potentially subject to flaws or vulnerabilities, but when these flaws are identified (not even resolved) with the means on board, it is already an excellent thing.
Let’s keep it friendly, and assume good intent.
As an outsider, my guess is this slipped through because the actual snap name was not related to crypto at all, but quantumquest
- which frankly could have been a video game, self help app or fusion simulator.
As they’ve mentioned before, the process is evolving, and I’m sure the team have this stuff in hand. While this is far from ideal, that one slipped through, it’s somewhat whack-a-mole and not exactly straightforward.
Yes the name wasn’t related to crypto, but there is more than a name to any type of package.
There is description of the snap with ominous word wallet.
You aren’t trying to tell us that the manual review of snaps starts and ends with someone looking at the name of the snap. That would be totally ridicoulous.
It did when I took the screenshot, but it may not have when the publisher initially attempted to register the snap.
Also, when a snap is registered, the full description of the application doesn’t actually have to be… The truth!
People, especially bad actors, trying to steal money from poor gullible rubes, will often… LIE!
The registration process is somewhat far removed from the “uploading a binary build” and “fillling in metadata” sections of the store. So it’s entirely possible for someone to fill the name in as something innocuous.
This isn’t ideal, and should certainly be factored in, for future registrations. No doubt it is.
This is one of the problems with the closed “nature” of some parts of the Snap Store.
For example, Flathub has everything open about this. We can at least see which nickname registered the package, how it was accepted, who accepted it, etc. (correct if any of this can be found out by anyone in the Snap Store)
Therefore, I really hope that when all this is settled, then they will tell in detail, almost in a timeline, how it all happened, so that others (the same Flathub, for example) could take something from this into service.
Otherwise, there are only 2 options left: to think that the attackers are smart enough to bypass moderation, or the attackers are doing quite simple and primitive things and for some reason this is still being missed.
It’s a fair comparison to make. However, I think this makes sense in a community-maintained project like Flathub, where numerous remote participants contribute on their own (or their employers’) time. It’s useful for auditing and process improvement.
For a platform like the Snap Store, which is run by a company where employees have responsibilities, contracts, line managers, and employment reviews, I think us outsiders knowing exactly which physical meat bag pressed the “accept” button isn’t tremendously beneficial, but it can be detrimental.
Especially in an open source community who are very good at sharpening pitchforks and turning up at your virtual door for any mistake, misspeak or perceived poor behaviour. I know because it happened to me, and it is one of the reasons I left Canonical. The Linux community contains a small number of super-toxic shitheads “people with genuine opinions vocalised loudly”.
I fully expect multiple people at different levels of the organization will try to figure out solutions for this. Along the way, mistakes will be made. We’re certainly in a better position than in February and September last year when previous issues happened.
These scammers are devious and will try various ways to get in. See also: xz.
So, while I have been “that guy” blogging about this and pointing the finger at Canonical to improve this whole thing, I’m very very much pointing that at Canonical, the entity, not the delightful individual bags of meat who work there.
I lost 25$ dollars to this scammer. I know it isn´t much, but it reminded me of the Dangers of Crypto even in so called trusted enviroments. Or at least I thought of Snap as one and got a litte to careless, had I only double checked the dev and the Team behind Exodus something should have ocured fishy to me. However, Experience is good, but nothing beats a painful lesson in how much these low-lifes want your money. Never Again! Later I will provide a Adress to this scammer maybe someone want´s to track him. He made arround 7.000$ trough this scam.
If anyone is interessted I still have the malicous app and could maybe provide a copy. USE AT YOUR OWN RISK, MEANING DON`T use it at all but maybe someone can reverse engeniere him/her/it
Hi ! @phorgetmenot .
Thank you to having share your experience linked to this incident.
I’m interested in analyzing these malware… (if it’s possible of course )
I totally agree that scammers will keep looking for avenues to take advantage of people, and that holding up individuals’ names for “community accountability” (harassment) won’t help with the Snap Store challenges.
That may be the crux of it, then - is the collection of apps housed in the Snap Store a Canonical product itself, or is the app collection a community effort which is then “linked to” or “disseminated” by Canonical through its Snap Store product?
If it’s the former, then really the only answer is to continue to pressure Canonical the entity to produce a better product, by directing its employees to conduct more thorough curation/moderation of the community submissions that comprise their product.
If it’s the latter, then IMO there should at least be some minimal mandatory accountability/visibility given to how the snap was built (ex. providing an easy link to source repository with snapcraft.yaml file, similar to how Flathub directly publishes the app manifest on each page) so that folks who are willing and able can help with community review, identify mismatches between storefront presentation and actual underlying application, and give a way for folks to develop trust in apps that don’t have the star or checkmark.
Interestingly, I think the snap store ultimately will have both - a community managed collection of open source snaps where we have full provenance of the code, and a publisher-oriented collection where you have to decide if you trust the publisher. Today, we have a small community of snapcrafters, and for open source snaps it makes sense to grow that community and give it more visibility, teeth, policy and voice.