popey
[Blog] Hey! Remember a month ago I mentioned there was a scam BitCoin wallet in the Snap Store. There's another one. This time I took it apart to see how it works. Edit: It's worse - they published ten scam apps under different wallet brand names. :( 66 comments
RossMadness
@popey So what criteria does Canonical use to label a Snap as "safe"? Just the fact that no one has complained yet?
Leaflet
@rossmadness @popey It's considered safe if it has strict sandboxing. Problem is that social engineering scams don't require breaking the sandbox. They just need you to enter information and network permission to send that to the scammers.
Aaron Rainbolt
@popey Sheesh. What a mess. As much as I love the idea behind Snap and think the implementation is good, some parts of this need some *help*. 
furicle
@popey this seems to suggest Pypi isn't curated
constancies
@popey This NEEDS to stop. It looks really bad on Canonicalβs image as an app distributor and creates unease around the safety of the Snap Store that could totally be avoided in my opinion!
popey
Here's a one-liner an intern at Canonical can run. while true; do snap find exodus | grep -v kubelogin && notify-send "Fire torpedoes!" || echo "Nothing found, sleepy time"; sleep 1000; done 
scott
@popey@mastodon.social looks like Canonical gets to have their brand name plastered all over the next AUR debacle. 
nΓ‘rodnΓ prase
@popey if you consider everything relating to crypto as a potential scam, it's even easier
mah:~ $ :arch_linux: πͺπ¬π΅πΈ
@popey well if it's called Trust Wallet, gosh darn it I'm gonna trust it! 
Jim Spath
@popey "Mc Wallet"-? ... sounds like "the restaurant McDowell's, which is totally not a ripoff of McDonald's at all", from "Coming To America". https://www.slashfilm.com/540818/lol-coming-to-america-mcdowells-restaurant-is-real/ 
Ministerofimpediments
@popey β¦so, putting aside the whole crypto nonsense itself and setting aside the whole part of doing this inside the Snap store is low hanging fruits so low they are essentially potatoesβ¦
popey
@ministerofimpediments Speaking as someone who I imagine didn't have half a million in crypto scammed from them.
Ministerofimpediments
@popey @ministerofimpediments β¦think about that statement. And honestly, yes, that would not apply to me. But pick your poison. Iβd rather someone lose $500k in *crypto* than a regular person get their bank password hoovered from a faux password manager and lose $50 that they canβt afford to. And I say it that way because if you own $500k in crypto (hah) then itβs money you can afford to lose because thatβs the inherent risk with an investment that is so wildly insecure and volatile.
Ministerofimpediments
@popey β¦which I *should not* assumeβ¦but Iβll take optimism where I can get it.
popey
@ministerofimpediments Why not both dot gif. Also, this isn't about you. This is about normies out there who cannot spot the wolf in wolf or sheep clothing.
Ministerofimpediments
@popey @ministerofimpediments β¦yes and no. You point is perfectly correct. They should do both. And there appears to be doubts on that happening. My hope is they are doing βsomeβ on the really nasty stuff.
popey
@ministerofimpediments BZZZT. Incorrect assumption.
Ministerofimpediments
@popey @ministerofimpediments I wouldnβt be surprised at all. I know the same kinds of people. Asking the same questions. Taking the same risks. Unfortunately there is a limit to saving people from themselves. Canonicalβs is (probably) higher than most. Side questionβ¦does Flatpak have the same problem? Same publisher? For curiosity sake mostly.
popey
@ministerofimpediments No, because every flatpak initial submission is human-reviewed. Something potentially could slip through, all things are possible, but it's less likely. Someone could submit a legit app, and then pivot it later, once it has a decent userbase. Or rug-pull, like many crpto things do.
Ministerofimpediments
@popey @ministerofimpediments They say the first step in fixing a problem is identifying the actual problem.
Ministerofimpediments replied to popey
@popey @ministerofimpediments β¦then I should probably read your blog post. So should someone at Canonical. One of these is more likely than the other.
Ministerofimpediments
@popey @ministerofimpediments β¦and itβs not the $500k bit eitherβ¦any amount of crypto would meet the criteria to be clear.
thetechdog
@popey Darn it! This is really ruining snap store's reputation... I know that some things will slip through regardless, but they have to do something!
popey
For what it's worth, I spoke to Hostinger abuse with the wireshark and my blog. 
Joshua Strobl :verified:
@popey You're putting seemingly 10x more effort into it than Canonical is. If Canonical wants to run a centralized distribution platform then they need to assume responsibility for it and put into place proper review processes. This lack of initiative and slow action on their part is just disappointing.
Morgenkaff
Pierre Spring
@popey Iβve been reading a lot of negative toots about Appleβs gatekeeping with regard to app reviewsβ¦ I guess this is the other side of the medal. 
Ryan Finnie
@popey Obviously the solution to ensure quality is to ask the crypto wallets about their high school transcripts.
popey
πππ Three gold stars, young Master Finnie, put your chair on your table and go home early. That's enough for today! π
JiΕΓ Eischmann :fedora:
@popey I guess this is where the curating approach (no multiple instances of the same app) and partly manual process of Flathub is paying off.
lproven
@popey Handy time-saver: if it's got the word 'blockchain' in it, it's bollocks. 100% of anything to do with cryptocurrencies are scams. All cryptocurrency tools on Snap, and Flatpak, and all other app stores of any kind, are scam apps. The only question is who is doing the top-level scam. If it's the app vendor, it's still not significantly different. The user will still get scammed.
popey
I'll update my whack-a-mole.sh script... while true; do snap find blockchain && notify-send "Bollocks!" || echo "Nothing found, sleepy time"; sleep 1000; done Oh no. 
Mike JπΉπ π€π»
@popey Nothing is a "scam" if code is law. If you want to opt out of the financial system, I don't see why anybody should be concerned when the inevitable happens.
Jason Nucciarone
@popey welp... being able to easily publish software as snaps to the world was fun while it lasted π Obviously this is being played close to chest by the involved Canonicalers, but I hope some new form of publisher trust & authentication mechanism is rolled out sooner rather than later. Clearly the malicious actor isn't going to give up until the store is locked down further. Yet another day of crypto having me broke, busted, and disgusted
popey
@nuccitheboss I still think it's possible to have a fast pipeline for trusted developers, while also putting a toll-booth sized small passport office in the way of new people. Basically this lot.
Jason Nucciarone
@popey Yes, I'd personally like stricter verification for new publishers. I already have "trust issues," so I typically only use snaps from verified publishers, the Snapcrafters, or star developers. Can't make everyone as distrusting as me though π I'd also add that there should be regular check-ins with verified publishers. Just because you're trustworthy now doesn't mean you won't become "mad emperor Nero" either after you've made it through the passport office π₯ 
Ariadne Conill π°
@popey @thelinuxEXP as I keep saying, the only secure software distribution method is the one which is actually reviewed by humans.
Joshua Lee
@popey Canonical really should do better in this regard if their going to be the ones controlling the servers we use to download the snaps from.
Emil "AngryAnt" Johansen
@popey Will be interesting to see if Canonical can be bothered to invest what it takes to run a closed store lile that. I'm not saying they are the ones behind this set of scam apps - in an effort to establish a budget for a vetting team - but it does seem like an efficient way to secure the necessary income ;) |
Gregory's Server
@popey Ack! Reshared!