Security of unverified flatpaks

github.com/flathub-infra/website

Review source domain changes in Flatpak manifests

opened 12:19AM - 21 Feb 24 UTC

      sonnyp
    

This is a follow up from a conversation around https://popey.com/blog/2024/02/ex…odus-bitcoin-wallet-490k-swindle/ and how Flathub is vulnerable. We already do pretty well with * All new submissions are reviewed * All permission updates are reviewed For practical purpose we don't review all manifest changes. However, reviewing domain changes would go a long way in preventing malware from making their way in via manifest updates. Consider the following scenario * Actor submits a legit https://github.com/flathub/io.exodus.Exodus/ which download sources from exodus.com * Submission gets reviewed and approved * Actor updates the manifest to download sources from ex0dus.com * The update is automatically approved and the malware makes its way into Flathub I propose to add manual reviews for new domains in source download urls. Domains is used loosely here and we should consider also reviewing changes in well known source providers such as github.com/*/* Something to watch out for is IDN homograph attacks. One possible optimization would be to remove manual reviews if a verified app only downloads from its verified domain.