A feature in the last version of Ubuntu, the Ubuntu 16.04 version, could inadvertently expose users private data posing a serious threat to their privacy.
According to the open-source software expert Matthew Garrett, the issue affects the snap, a new package format used for installing software on an Ubuntu system.
The snap featured in the Ubuntu 16.04 version is designed to be easier for developers their ordinary operations.
Matthew Garrett discovered that the snap packages installed on Ubuntu systems that rely on the X11 windowing system can copy private data without limitations, for example, an application can simply ask to receive keystrokes from other applications.
“The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream.” wrote the expert. “An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site.”
On the other side, snaps don’t pose any security risks when running on Canonical’s Mir windowing system. For the moment, however, there are serious issues present in snaps that could threaten desktop Ubuntu users.
For the moment, however, there are serious issues present in snaps that could threaten desktop Ubuntu users.
Canonical has published a blog post on the issue confirming that X11 is a protocol insecure by design, this means that users still need to be careful about which packages they install.
“The security minded will observe that X11 is not in fact a secure protocol. A number of system abuses are possible when we hand an application this permission.” states the blog post.
“When you install software from the Ubuntu archive, that’s a statement of trust in the Ubuntu and Debian developer,” he said. ” Snappy is not eliminating the need for that trust, as once you give a piece of software access to your personal files, web camera, microphone, etc, you need to believe that it won’t be using those allowances maliciously.”
Garret has included a proof-of-concept code dubbed XEvilTeddy that is able to steal user’s data from an Ubuntu 16.04 version.
“An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that’s not going to respect your privacy.” said the expert speaking about his PoC code.
(Security Affairs – Ubuntu 16.04 version, privacy)