Developer Find Loopholes in Snap When Used With X.Org
Canonical’s most distinguished feature added to Ubuntu 16.04 LTS Xenial Xerus is a software packaging format called Snap. Previously only exclusive to the Ubuntu Core found IoT, the packaging system found its way onto the desktop operating system.
Snap is expected to be a convenient way of installing apps on your Ubuntu based operating system as it contains all its dependencies allowing it to seamlessly integrated into the system without interfering with other packages. The packaging format is not only supposed to bring convenience but also security as apps are first isolated in a container before being installed.
Snap packaging was built from the ground up to extensively work with Canonical’s desktop and server operating systems.
“Snap packages enable developers to bring much newer versions of apps to Ubuntu 16.04 LTS. Newer versions of KDE, GNOME, browser or other desktop environment apps will usually build easily on older LTS releases but the complexities of packaging and providing updates have prevented us from delivering them in the past” was a part of the release not released by members of the Ubuntu team.
Mattew Garret who is a well known CoreOS developer and a great contributor to the Linux Kernel pointed out that Canonical’s new Snap packing format is not secure when used under the X.Org server which is the default display server for Ubuntu 16.04.
“ I’ve produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it’s in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy. An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets.
Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that’s not going to respect your privacy. ”
With only two apps known to come in snap packaging format, the system itself is still in its infancy and efforts to find loopholes and vulnerabilities should be very much welcomed by Canonical as it would give them enough time to work on fixes and patches before snap becomes crowded.