I’m sorry I don’t quite understand. So even after having removed the app my personal documents could be at risk? . Could you explain more what you mean by taking action when necessary?
I’m not a technical user, I just want to use FOSS and not windows or mac. But I’m not even close to a power user. I have used xbuntu for years and just got this second hand thinkpad and got the store to put it with just ubuntu mate. Really love it. But like, if my documents are in jeopardy now because i installed and removed a snap, I’m thinking I’m gonna go to the store and get a reinstall of MATE. Cuz I don’t want my documents to be at risk. Wish I didn’t have to , but I’ll do what I have to do if it’s warrented.
I’ve been fine all these years with ubuntu, and now I decided to use snapstore and have potentially put my documents at risk. I know it’s my fault for not paying attention to what I was doing. But like, I dunno I felt safe on the store.
Well if the malware is really executed they can really pack and upload your ~/Download and ~/Documents folders to the attacker’s server, consider the files were leaked already if they are that important.
If you only installing it but NOT launching it via the application launcher or terminal you should be safe.
Thanks a lot for the input Lin-Buo-Ren! I really appreciate it . I didn’t execute it. I installed it, searched for it in menu, couldn’t find it. Scrolled down to the reviews, saw the warnings “fake app” and “don’t download”. I then clicked remove app through the same software centre interface i installed it from. Now if I type snap list in the CL I don’t see twitterr listed.
Well the same applies to any other thirdparty software sources like PPAs and it has even more power to do malicious things than snaps (e.g. The Debian packages’ installation script is actually run as root and has unrestricted access to your system).
As the sandbox technology advances the exploits will be smaller due to more granular control of access (for example the new XDG desktop portals eliminates the requirement of open up access to most of your personal files via only allow access to the files user-specified to the applications).
According to the metadata of the latest snap revision the snap doesn’t provide any entrypoints to launch it with, which is probably why you can’t find it anywhere .
I would like to ping the @store fellows to check whether the previous revisions of this snap is fine, also to evaluate whether to unlist/unpublish the snap due to the suspicious naming and lack of implementation.
Setting the topic to the #store category as it requires store staff’s attention.
As far as I can tell the recipe looks like its copied from a tutorial, maybe it’s just a novice packager testing out an empty snap and published it with suspicious metadata.
Not sure though, we should wait for the store staffs to verify all the snap revisions the publisher published before jumping to conclusions.
It is legit as it communicates to the same snapd daemon via its backend. You may also remove the snap by running the snap remove _snap_id_ command in a terminal.
so in this case I would run snap remove _snap_id_twitterr ? But I don’t see it listed amongst my snaps when i run snap list so i guess i’ve got rid of it. I just hope installing it didn’t compromise my documents that would really suck.
thanks a lot for the time you’ve put towards helping out with this. It’ll be nice for the sake of all the users of snapstore to know what’s the deal with the app. You’ve been super helpful Lin-Buo-Ren!
The name is so similar and the profile photo lead me to not even look to the info or reviews I stupidly just hit install didn’t even realize the letters. Oh well. But it’ll be nice to know if any of us who have downloaded the app need be worried or not.
I’m fairly certain that the Snap is not malicious, though I can’t verify 100% because I can’t check previous versions as @Lin-Buo-Ren mentioned. I think on balance that you’re most likely safe and have not had anything compromised.
I’ve downloaded every revision of the twitterr snap, and there’s nothing other than a snap.yaml, manifest.yaml and snapcraft.yaml in them. It’s inert, likely an unfinished project, with an incorrect or incomplete packaging configuration. Nothing to see here.