124
submitted 9 months ago by pnutzh4x0r@lemmy.ndlug.org to c/linux@lemmy.ml

Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

you are viewing a single comment's thread
view the rest of the comments
[-] Neon@lemmy.world 1 points 9 months ago

yeah, but i can still make a Github Repo for Firefoxx and be Verified on Flathub, even though i am masquerading as Firefox. That's not the Problem.

[-] jbk@discuss.tchncs.de 6 points 9 months ago

Since you need to pass a manual review during initial submission of the app, no, you can't

[-] ryannathans@aussie.zone 2 points 9 months ago

A fake malware password manager made it on to Apple's app store, passed manual review. Manual reviews are not bulletproof

[-] jbk@discuss.tchncs.de 1 points 9 months ago

That's still not the same as impersonating a known app or developer though

[-] ryannathans@aussie.zone 1 points 9 months ago* (last edited 9 months ago)

That's exactly what they did, imitated lastpass or something

[-] BautAufWasEuchAufbaut 1 points 9 months ago

And why does Apple's process say something about Flathubs process?

[-] ryannathans@aussie.zone 1 points 9 months ago* (last edited 9 months ago)

Example of strict manual reviews including source code not catching malware masquerading as existing reputable software, it's the exact same scenario minus Apple being a commercial entity. Goes to show that even when commercial interests are at stake to keep these malicious apps out, they can still get in. It's just demonstrating manual reviews aren't a 100% bulletproof solution, the commenter was saying it's not possible for malware to get past manual review

[-] BautAufWasEuchAufbaut 1 points 9 months ago

This isn't the point of the review. Verified apps only say this is the application as offered by the original vendor.
If the original vendor were to bundle malware, then that's a bad vendor, but still verified official software. Not that I actually think this will happen. Most user install malware such as Discord willingly. /j

this post was submitted on 14 Feb 2024
124 points (100.0% liked)

Linux

48224 readers
575 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS