Suspicious "Twitterr" snap requires attention (was: Are there risks associated with installing random snaps?)

Hi everyone :slight_smile: I,m running Ubuntu MATE 20.04.2

I was looking for a twitter client and searched the software centre and downloaded a snap from snapcraft.io. Called Twitterr.


Last updated a year ago, and and author’s website looks fake.

I didn’t even notice this. i wasn’t paying attention and didn’t read the reviews and just his install. I wasn’t given an option to launch once installed, and couldn’t find it through menu. I then read the in the reviews others had the same problem of not being able to locate the app to open it. And some saying fake app, maybe malware.

So I removed it through the software centre. When I run the snap list command in terminal twitterr doesn’t show up, or any author that shouldn’t be there in that list. So am I ok? No need to reinstall ubuntu or anything? Just sketched me out. Made me think what’s the potential for malware infection through snaps?

Aren’t they supposed to be safe because of the sandboxing?

I’d really appreciate some thoughts on this, thanks!

1 Like

That particular snap is completely empty, so you’re fine. As to the general safety of Snaps: they’re generally safer to install compared to software packages from anywhere other than your distro’s package repositories. The caveat is that if you install a classic snap (such as by specifying --classic on the install command, though the software center/snap store didn’t make it clear last I checked) then it still has full access to your system, where most snaps are confined into a strict sandbox preventing them from crawling all over.

2 Likes

Thanks so much for the reply! That’s reassuring to hear! But what exactly do you mean that snap is empty? How did you check that? And why is it empty?

when i installed the app in software centre it said it was 8kb. So I installed something

By inspecting the content of the snap, you can easily do so by running the snap download _snap_id_ command in the terminal, then run less _snap_id_*.snap to view its content.

For snaps already installed one can find the packages under /var/lib/snapd/snaps or /snap/snap_id/current

1 Like

Here are the contents of the revision 43 of the snap:

path:       "twitterr_43.snap"
name:       twitterr
summary:    Browse Twitter.com
version:    2.03 -
build-date: 2020-02-26
license:    unset
description: |
  Use the mobile Twitter experience from the convenience of a desktop
  application that works for Windows, macOS, and Linux!

*** Contents:
Parallel unsquashfs: Using 8 processors
3 inodes (3 blocks) to write

drwxr-xr-x root/root                39 2020-02-26 06:29 
drwxr-xr-x root/root                32 2020-02-26 06:29 /meta
-rw-r--r-- root/root               259 2020-02-26 06:29 /meta/snap.yaml
drwxr-xr-x root/root                58 2020-02-26 06:29 /snap
-rw-r--r-- root/root             10024 2020-02-26 06:29 /snap/manifest.yaml
-rw-r--r-- root/root               490 2020-02-26 06:29 /snap/snapcraft.yaml

This doesn’t mean that the snap is totally benign, though, as snap apps are automatically updated, and, the superseded old snap revision may contain something else than the current one.

I think this is another case for the proposals here Feature request: Allow user to flag snaps as out-of-date

An app on the store with hundreds of users for over a year, and it literally has no functionality. It reflects poorly on the snapcraft store and is confusing for the users.

1 Like

For snaps under strict confinement it is confined according to the snap recipe’s declared permissions(we call them interfaces, or plugs) and the store’s own policy(critical permissions are gatekeeped by the store staff to avoid abusing) , one can inspect the snap/manifest.yaml file in the snap to determine which permission the snaps requests, and which is actually granted(connected) by the system via the snap connections command:

plugs:
  config-gallery-dl:
    interface: personal-files
    read:
    - $HOME/.config/gallery-dl
    - $HOME/.gallery-dl.conf
  desktop: null
  dot-netrc:
    interface: personal-files
    read:
    - $HOME/.netrc
  etc-gallery-dl:
    interface: system-files
    read:
    - /etc/gallery-dl.conf
  home: null
  network: null
  network-bind: null
  removable-media: null
apps:
  youtube-dl:
    adapter: legacy
    command: youtube-dl
    environment:
      LANG: C.UTF-8
      LC_ALL: C.UTF-8
      LD_LIBRARY_PATH: $SNAP/usr/lib/x86_64-linux-gnu/pulseaudio
    plugs:
    - home
    - network
    - opengl
    - removable-media
$ snap connections youtube-dl
Interface        Plug                        Slot      Notes
home             youtube-dl:home             :home     -
network          youtube-dl:network          :network  -
opengl           youtube-dl:opengl           :opengl   -
removable-media  youtube-dl:removable-media  -         -

For the example above the removable-media interface is not connected, meaning that the snap application can’t access your external drives mounted under /mnt or /media. You may check out the entire list of supported security confinement interfaces (and their definition) at https://snapcraft.io/docs/supported-interfaces

For snaps you particularly not trust you may specifically disallow their access to certain resources by using the snap disconnect _snap_name:_interface_name_ command. For example you may fully disallow the youtube-dl snap to access your files under the home directory by running snap disconnect youtube-dl:home in the terminal.

Note that not every interfaces declared by the snap is auto-connected(granted by default), for sensitive interface connections the publisher must be vetted by the store staff before they are made auto-connectable. Refer Process for aliases, auto-connections and tracks for the actual process.

Reference: Interface management | Snapcraft documentation

I do find that downloading specified revision is not allowed though, meaning I can’t inspect what’s actually in the snap in the past:

snap download twitterr --revision 20
Fetching snap "twitterr"
error: cannot download snap "twitterr": Access by specifying a revision is not allowed for this Snap.

Wow, lots of very in depth replies thanks so much for taking the time! Really appreciate it. I’m not as technical a user of ubuntu that I understood everything haha :slight_smile: .But like from a security perspective what should I do? I realize I messed up by downloading an inactive weird app. I wasn’t paying attention to what I was doing sigh. You think I’m good having just removed the app via software centre user interface?

Like should I be worried about malware even after having removed the app?

I’d say that you should be quite safe as by default the snap can’t do many things other than stealing your regular documents (the home and the network interface allow them to do so, both are auto-connected due to common usage and lack of granular access technologies) and wasting your computational resources(like mining cryptocurrency).

They cannot:

  • Steal your SSH/GnuPG private keys(~/.ssh/…, ~/.gnupg/…) (as the home interface doesn’t allow access to hidden files right under your home directory)
  • Modify most of your application configs(~/.config/…) (not allowed by the home interface for the same reason)
  • Access most of your application data (~/.local/…, ~/.app_id) (not allowed by the home interface for the same reason)
  • Modify startup scripts(~/.bashrc, ~/.profile, …) to make them persistent after removal (not allowed by the home interface for the same reason)

I would suggest that you should only concern your important, non-encrypted documents in your home directory( ~/Documents, ~/Downloads ) and take actions when necessary (like revoking the keys/credentials).

I’m sorry I don’t quite understand. So even after having removed the app my personal documents could be at risk? . Could you explain more what you mean by taking action when necessary?

I’m not a technical user, I just want to use FOSS and not windows or mac. But I’m not even close to a power user. I have used xbuntu for years and just got this second hand thinkpad and got the store to put it with just ubuntu mate. Really love it. But like, if my documents are in jeopardy now because i installed and removed a snap, I’m thinking I’m gonna go to the store and get a reinstall of MATE. Cuz I don’t want my documents to be at risk. Wish I didn’t have to , but I’ll do what I have to do if it’s warrented.

I’ve been fine all these years with ubuntu, and now I decided to use snapstore and have potentially put my documents at risk. I know it’s my fault for not paying attention to what I was doing. But like, I dunno I felt safe on the store.

Well if the malware is really executed they can really pack and upload your ~/Download and ~/Documents folders to the attacker’s server, consider the files were leaked already if they are that important.

If you only installing it but NOT launching it via the application launcher or terminal you should be safe.

Thanks a lot for the input Lin-Buo-Ren! I really appreciate it :slight_smile: . I didn’t execute it. I installed it, searched for it in menu, couldn’t find it. Scrolled down to the reviews, saw the warnings “fake app” and “don’t download”. I then clicked remove app through the same software centre interface i installed it from. Now if I type snap list in the CL I don’t see twitterr listed.

1 Like

In the software centre interface there wasn’t even a button to launch it as there usually is when installing apps there. Couldn’t launch it thankfully

Well the same applies to any other thirdparty software sources like PPAs and it has even more power to do malicious things than snaps (e.g. The Debian packages’ installation script is actually run as root and has unrestricted access to your system).

As the sandbox technology advances the exploits will be smaller due to more granular control of access (for example the new XDG desktop portals eliminates the requirement of open up access to most of your personal files via only allow access to the files user-specified to the applications).

According to the metadata of the latest snap revision the snap doesn’t provide any entrypoints to launch it with, which is probably why you can’t find it anywhere :wink: .

that will be bad if my documents have been uploaded to an attackers server though…

I would like to ping the @store fellows to check whether the previous revisions of this snap is fine, also to evaluate whether to unlist/unpublish the snap due to the suspicious naming and lack of implementation.

Setting the topic to the #store category as it requires store staff’s attention.

1 Like