Hacking

Snap packaging could reveal private data in Ubuntu 16.04 version

A feature in the Ubuntu 16.04 version could be abused to expose users private data posing a serious threat to their privacy and security.

A feature in the last version of Ubuntu, the Ubuntu 16.04 version, could inadvertently expose users private data posing a serious threat to their privacy.

According to the open-source software expert Matthew Garrett, the issue affects the snap, a new package format used for installing software on an Ubuntu system.

The snap featured in the Ubuntu 16.04 version is designed to be easier for developers their ordinary operations.

Matthew Garrett discovered that the snap packages installed on Ubuntu systems that rely on the X11 windowing system can copy private data without limitations, for example, an application can simply ask to receive keystrokes from other applications.

“The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream.” wrote the expert. “An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site.”

On the other side, snaps don’t pose any security risks when running on Canonical’s Mir windowing system. For the moment, however, there are serious issues present in snaps that could threaten desktop Ubuntu users.

For the moment, however, there are serious issues present in snaps that could threaten desktop Ubuntu users.

Canonical has published a blog post on the issue confirming that X11 is a protocol insecure by design, this means that users still need to be careful about which packages they install.

“The security minded will observe that X11 is not in fact a secure protocol. A number of system abuses are possible when we hand an application this permission.” states the blog post.

“When you install software from the Ubuntu archive, that’s a statement of trust in the Ubuntu and Debian developer,” he said. ” Snappy is not eliminating the need for that trust, as once you give a piece of software access to your personal files, web camera, microphone, etc, you need to believe that it won’t be using those allowances maliciously.”

Garret has included a proof-of-concept code dubbed XEvilTeddy that is able to steal user’s data from an Ubuntu 16.04 version.

“An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that’s not going to respect your privacy.” said the expert speaking about his PoC code.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Ubuntu 16.04 version, privacy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.