Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

  • @[email protected]
    link
    fedilink
    279 months ago

    Neither Canonical"s Snapstore, nor Flathub manually verify apps. They’re both similar to the Play Store or App Store where it’s managed by the app developer.

    • Baut [she/her] auf.
      link
      fedilink
      179 months ago

      For Flathub there are verified apps though, which are confirmed to be by the original developer.

          • @[email protected]
            link
            fedilink
            29 months ago

            A fake malware password manager made it on to Apple’s app store, passed manual review. Manual reviews are not bulletproof

                  • @[email protected]
                    link
                    fedilink
                    1
                    edit-2
                    9 months ago

                    Example of strict manual reviews including source code not catching malware masquerading as existing reputable software, it’s the exact same scenario minus Apple being a commercial entity. Goes to show that even when commercial interests are at stake to keep these malicious apps out, they can still get in. It’s just demonstrating manual reviews aren’t a 100% bulletproof solution, the commenter was saying it’s not possible for malware to get past manual review

    • @[email protected]
      link
      fedilink
      69 months ago

      Flathub has manual reviews during initial submission though. Also they’re working on automatically needing a manual review when e.g. new permissions are granted to apps