The Security Scariness of FlatPak
Hey guys, so I was doing some work with RHEL the other day and bumped into FlatPak... And ohhhhhhhhhhhhhhhh, the potential concerns with the software made me question why my client uses it.
If you've worked as a Systems Administrator or are familiar with Linux, you have most likely used Red Hat Enterprise Linux or Fedora Linux. On these systems, a package management system called FlatPak is on the rise. However, the security flaws and blatant lack of concern posed by their development team is astounding enough to possibly cause major blows to user privacy on their systems.
Flat What?
FlatPak was originally a revolutionary piece of software whose inception came from the package management problem in Linux. For those who are unaware, different Linux Distributions (systems) use different command-line utilities to allow the installation, upgrade and removal of software. Due to this issue, the people working at Red Hat figured it would be a good idea to make packages universal, and they birthed several projects like AppImage and FlatPak, which are all considered standard utilities in Fedora and Red Hat Linux installations.
It's Escaping!!!
FlatPak uses a site called FlatHub for installing packages, and almost all of them on the site have write permissions to the user's home directory- even if it's not necessary. So in theory, it's possible to simply add a program to FlatHub that executes the equivalent of echo "malicious_command" >> ~/.bashrc and suddenly get full access to the system.
Though the developers at Red Hat and Fedora claim FlatPak is sandboxed (contained) securely to avoid these problems, this is apparently not true.
Old Farts
FlatHub doesn't have the latest software, either. For example, Firefox is one full release version behind. This poses potential security concerns as vulnerabilities old software get fixed in new software releases. Though companies and organizations offer security patches to fix the vulnerabilities, a third party packager like FlatPak will probably be slow to apply them.
However, this is outside of the goal of FlatPak. The entire goal of the system is to allow for universal software and packages to be installed easily. For this to occur, they might be stuck using older versions. So it begs the question: Should a privacy minded individual even consider FlatPak or programs with similar goals?
Security Issue (un)Responsiveness
A couple years back, the developers of FlatPak considered CVE-2017-9780 a minor security issue- when in reality it was a full fledged local root exploit. What this means is any hacker who wanted to get root access a couple years back could just create a FlatPak app that contained the code to effectively set user id as root, and it would work. This allowed any hacker to distribute malicious software and get administrative access to Linux boxes running FlatPak. Their lack of concern is still shocking to this very day, and one could only hope that they have changed their attitude towards security.
HOWEVER...
FlatPak was only designed to be a universal software distribution tool. Even as such, this all poses a big question for whether or not Linux users should consider systems like FlatPak or Snap for installation of software... Since there's so many potential security concerns, is this worth using?
On top of this, there's already Linux Distributions such as Bedrock Linux that allow for installation of Linux software using multiple different package managers. This seems like a far more robust solution, but still isn't 100% of the way there yet.
So What Should I Do?
If you're okay with the security risks, continue to use FlatPak, Snap, or whatever universal packaging tool you use. But if you're not okay with them and you value your privacy, consider not using them or finding a solid alternative until the kinks get worked out.
References: https://github.com/flatpak/flatpak/releases/tag/0.8.7
https://www.cvedetails.com/cve/CVE-2017-9780/
Liked This Content? Check Out Our Discord Community and Become an email subscriber!