bitcoin namesquatting

Bug #1803914 reported by Matt Corallo
276
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Snap Store Server
Fix Released
Undecided
Unassigned

Bug Description

There doesn't appear to be a place to report this kind of thing, but at least https://snapcraft.io/bitcoin-qt appears to be some random package which isn't a released version and at least https://snapcraft.io/bitcoin, https://snapcraft.io/bitcoin-ec, and https://snapcraft.io/bitcoin-unlimited are (a) significantly out-of-date, (b) have outstanding major CVEs against them, (c) (for the "bitcoin" snap) actually shipping software which is different from what is claimed by the description (at least if the developer website/contact link is correct), (d) don't have a valid contact link for the developer, (e) a massive security risk for users, given the random individual appears to be able to push updates which arbitrarily steal users' money.

It seems massively dangerous that someone can come along and upload a "bitcoin" package and get users to install it when it is clearly bogus, especially when the Bitcoin Core project (which is being imitated here) has an officially-supported Bitcoin PPA (see https://bitcoincore.org/en/download/)! How do we get these snaps taken down and prevent people from uploading bitcoin/bitcoin-qt/bitcoin-core/etc snaps in the future?

CVE References

Revision history for this message
Matt Corallo (bluematt) wrote :
information type: Private Security → Public Security
Kyle Fazzari (kyrofa)
no longer affects: snapcraft
Revision history for this message
Gal Buki (torusjkl) wrote :

Thanks for reporting this.

(a) the used version of BitcoinUnlimited in the bitcoin-qt snap is compatible with the BTC network and there are no CVEs for this version

(b) the bitcoin snap stopped updating automatically and thus got stuck at an older version, I will check why this happened

(c) I have removed the links of the bitcoin snap and will enter new information once I have established which links are the correct ones to use

(d) please see c

(e) the snap uses the official Github repositories of BitcoinCore and BitcoinUnlimited.

I will contact Canonical and see how I can make these snaps better so that it is more clear to the user what he downloads and installs.

In regards to bitcoin-ec I have not found a way to remove the package from the snap store.
I will check with Canonical if this is possible.

Revision history for this message
Matt Corallo (bluematt) wrote :

(a) "BitcoinUnlimited" is a wholly different project from Bitcoin-Qt. Squatting on the "bitcoin-qt" name (which is a standard package in Debian Testing/used to be in Ubuntu/the Bitcoin Core PPA) to ship Bitcoin Unlimited (an unrelated software project) is definitely not OK. Further, Bitcoin Unlimited is fundamentally insecure, see https://eprint.iacr.org/2017/686.pdf.

(c/d) So is the "bitcoin" snap publishing Bitcoin Classic, or is it publishing software from the Bitcoin Core project, as the name implies?

Historically, Ubuntu/Debian shipped Bitcoin Core packages with other packages, but those were removed at the request of upstream due to the unique nature of Bitcoin both as a financial system as a consensus system putting users at needless risk when updates are not made available in a timely fashion.

In that context, I think it should be pretty obvious that snaps which control/manage peoples' Bitcoin, especially full node versions thereof, uploaded by individuals unrelated to the projects in question is really not OK and a real risk for Ubuntu users.

Revision history for this message
Gal Buki (torusjkl) wrote :

(a) based on the shown paper an other infos that have been reported to me I have closed the bitcoin-qt, bitcoin-unlimited and bitcoin-ec channels and set the snaps to private.
They should not be shown in the Software Center anymore.

(c/d) it uses the bitcoin core repository as its source.

Revision history for this message
Gal Buki (torusjkl) wrote :

version 0.17.1 (latest) is now available in the stable channel.

Revision history for this message
Gal Buki (torusjkl) wrote :

insecure versions have been removed and bitcoin core has been updated to 0.17.1 which is the latest released version.

Changed in snapstore:
status: New → Fix Released
Revision history for this message
Matt Corallo (bluematt) wrote :

This bug is about the fact that such namesquatting is possible, and a process question about how it can be avoided in the future. Note that Bitcoin Core v0.17.1 is NOT yet released, and uploading it to the snap store is a great example of why individuals who aren't working with upstream projects or who don't have experience being maintainers shouldn't be responsible for uploading packages that can put user money at risk. In this case, uploading a pre-release version as if it were a released version is also a major issue.

Changed in snapstore:
status: Fix Released → New
Revision history for this message
Russell Yanofsky (ryanofsky) wrote :

To depersonalize this a bit, I think bluematt is saying that anything which isn't byte-for-byte copy of an official release from https://bitcoincore.org/en/download/ shouldn't be labeled as such and shouldn't namesquat on the "Bitcoin" name.

I think it probably would ok for there to be an _unofficial_ snap release that was clearly labeled, and didn't give the impression of being identical to the upstream version of bitcoin.

It might also be possible for someone to work with the Bitcoin project to create an official, deterministically built and verifiable snap build to accompany existing windows, dmg, and deb builds. But this would take probably take a lot more technical work and discussion.

Revision history for this message
Matt Corallo (bluematt) wrote :

Indeed, I'm less concerned about the packages here and more concerned with the fact that anyone, completely unbeknownst to upstream (which maintains official Ubuntu packages), or any users, was able to upload a package which Ubuntu would, by default, suggest users install to manage Bitcoin, with zero oversight whatsoever. This seems like a rather large attack vector to attack Ubuntu users en-masse.

Revision history for this message
Gal Buki (torusjkl) wrote :

The Bitcoin Core download page clearly says that this release is the latest.
I don't see why you say it is not yet released.

Revision history for this message
Matt Corallo (bluematt) wrote : Re: [Bug 1803914] Re: bitcoin namesquatting

I think you're confusing 0.17.1 with 0.17.0.1.

> On Dec 13, 2018, at 00:08, Gal Buki <email address hidden> wrote:
>
> The Bitcoin Core download page clearly says that this release is the latest.
> I don't see why you say it is not yet released.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1803914
>
> Title:
> bitcoin namesquatting
>
> Status in Snap Store:
> New
>
> Bug description:
> There doesn't appear to be a place to report this kind of thing, but
> at least https://snapcraft.io/bitcoin-qt appears to be some random
> package which isn't a released version and at least
> https://snapcraft.io/bitcoin, https://snapcraft.io/bitcoin-ec, and
> https://snapcraft.io/bitcoin-unlimited are (a) significantly out-of-
> date, (b) have outstanding major CVEs against them, (c) (for the
> "bitcoin" snap) actually shipping software which is different from
> what is claimed by the description (at least if the developer
> website/contact link is correct), (d) don't have a valid contact link
> for the developer, (e) a massive security risk for users, given the
> random individual appears to be able to push updates which arbitrarily
> steal users' money.
>
> It seems massively dangerous that someone can come along and upload a
> "bitcoin" package and get users to install it when it is clearly
> bogus, especially when the Bitcoin Core project (which is being
> imitated here) has an officially-supported Bitcoin PPA (see
> https://bitcoincore.org/en/download/)! How do we get these snaps taken
> down and prevent people from uploading bitcoin/bitcoin-qt/bitcoin-
> core/etc snaps in the future?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snapstore/+bug/1803914/+subscriptions

Revision history for this message
Gal Buki (torusjkl) wrote :
Revision history for this message
Matt Corallo (bluematt) wrote :

Those release notes are for the *upcoming* 0.17.1 release which is currently in the RC process (and likely to be released next week).

> On Dec 13, 2018, at 15:37, Gal Buki <email address hidden> wrote:
>
> The release notes say that it's version 0.17.1
> https://github.com/bitcoin/bitcoin/commit/ef70f9b52b851c7997a9f1a0834714e3eebc1fd8
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1803914
>
> Title:
> bitcoin namesquatting
>
> Status in Snap Store:
> New
>
> Bug description:
> There doesn't appear to be a place to report this kind of thing, but
> at least https://snapcraft.io/bitcoin-qt appears to be some random
> package which isn't a released version and at least
> https://snapcraft.io/bitcoin, https://snapcraft.io/bitcoin-ec, and
> https://snapcraft.io/bitcoin-unlimited are (a) significantly out-of-
> date, (b) have outstanding major CVEs against them, (c) (for the
> "bitcoin" snap) actually shipping software which is different from
> what is claimed by the description (at least if the developer
> website/contact link is correct), (d) don't have a valid contact link
> for the developer, (e) a massive security risk for users, given the
> random individual appears to be able to push updates which arbitrarily
> steal users' money.
>
> It seems massively dangerous that someone can come along and upload a
> "bitcoin" package and get users to install it when it is clearly
> bogus, especially when the Bitcoin Core project (which is being
> imitated here) has an officially-supported Bitcoin PPA (see
> https://bitcoincore.org/en/download/)! How do we get these snaps taken
> down and prevent people from uploading bitcoin/bitcoin-qt/bitcoin-
> core/etc snaps in the future?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snapstore/+bug/1803914/+subscriptions

Revision history for this message
Gal Buki (torusjkl) wrote :

I see what you mean.
The latest published version in the stable channel is now 0.17.0.1

Revision history for this message
Matt Corallo (bluematt) wrote :

We're gonna put a warning[1] up on bitcoincore.org warning users not to use the Ubuntu Software Center until this is resolved. What the general policy is in the Ubuntu Software stuff isn't really my business, but until there is some change which results in people not being able to masquerade as random Bitcoin wallets without any oversight we need to protect our users.

[1] https://github.com/bitcoin-core/bitcoincore.org/pull/635

Revision history for this message
Alan Pope 🍺🐧🐱 🦄 (popey) wrote :

There's been no conversation on this bug for a month , is there still work to do here? I note that most of the snaps mentioned in the description no longer appear to be published, but only the bitcoin snap itself remains.

As I understand it, core bitcoin team are unhappy a third party has claimed the bitcoin name in the snap store.
We (Snap Store) do indeed prefer that core upstream teams are the publishers for snaps in the store. Sometimes that isn't possible, or desireable upstream, so an enthusiastic community contributor, or third party may indeed upload a build of the software in question.

For bitcoin, we understand this may be problematic. The way I see it there are a few ways forward.

1) The bitcoin snap is removed from the store, and the name set aside such that we only allow a bitcoin core developer to publish to it.
2) The bitcoin snap is transferred to the bitcoin core team, who can choose to make it private, continue to update it at their discretion.
3) The snap is left as-is, with Gal Buki publishing updates.

I believe bitcoin core team prefer 1 or 2, I would prefer 2, but 1 is fine, if that's the desire from upstream. The Snap Store admin team are able to process the steps necessary for 1 and 2.

One additional feature [1] not currently in use, which may be desireable, for options 2 and 3 is to enable manifests in the snap. Essentially setting SNAPCRAFT_BUILD_INFO=1 on the build system will cause snapcraft to add a snap/manifest.yaml inserted into the snap. This file details what components were used to build the snap, and links to the build log. This may be appreciated for auditing and transparency purposes. If the snap is built in launchpad or on build.snapcraft.io, I believe this is enabled by default. This option has not been used for the current build of the bitcoin snap, but could be, to give users confidence in the origin of the code in the snap.

[1] https://snapcraft.io/blog/introducing-developer-notifications-for-snap-security-updates

Revision history for this message
Matt Corallo (bluematt) wrote :

The concern is broader than just the snap under the name "bitcoin". Right now if you go search for "Bitcoin" in the Ubuntu Software Center you get a package maintained by a third party. While in this case Gal appears to be responsive to update requests, what prevents Bob from going and uploading a "bitcoin-core" snap or a "bitcoin-qt" snap or a "bitcoin-wallet" snap or one of any other many possible name variants containing malware which outright steals money from users? There is currently also an "Electrum" snap of unknown origin.

I don't know anyone in upstream who currently has the bandwidth to maintain a snap, so while taking the name and making it private solves (kinda) one problem, it makes it even easier for Bob to come along and publish malware.

Its my understanding that the snap security model implies sandboxing to try to reduce attack surface of random users uploading malicious software, but in the case of Bitcoin Wallets generally, this obviously doesn't help all that much, as the thing you want to steal is being provided by the user directly anyway.

Revision history for this message
Jalon Funk (francescohickle15) wrote :

This is general problem which was reported earlier, i.e https://forum.snapcraft.io/t/bogus-apps-in-store/4703

The current snap store environment is similar to google play store: anyone can upload anything and name it as they wish. If snaps gain traction there would be even more incentive to upload *ware apps. There was already one coin miner. Google is removing thousands of harmful apps and puts more requirements in place, automatic scanning etc. I doubt canonical will have resources for this.

Revision history for this message
Celso Providelo (cprov) wrote :

Answering Matt's point:

... what prevents Bob from going and uploading a "bitcoin-core" snap or a "bitcoin-qt" snap or a "bitcoin-wallet" snap or one of any other many possible name variants containing malware which outright steals money from users?

Snaps names matching 'bitcoin*' are not generally available since this bug was filed. Developers trying to register those names will go through a name-dispute process and the store reviewers will ensure they are aligned with upstream and the package maintainers.

Since the issue originally reported in this bug is solved ('bitcoin*' is reserved), I would suggest moving this conversation to the forum where it can benefit of a wider audience, particularly other money-sensitive snaps.

Changed in snapstore:
status: New → Fix Released
Revision history for this message
Gal Buki (torusjkl) wrote :

SNAPCRAFT_BUILD_INFO=1 looks desirable and I will include it in the next release.

Regarding transferring the control of the snap.
The Bitcoin Core developers are known to be very loud (accusing everyone not part of their inner circle of being malicious) and like to monopolize everything around bitcoin.
Like claiming to be the only rightful group to use the name bitcoin.

If this snap was called bitcoin-core I would have understood their claim and options 1) or 2) would have been fair.

But claiming the name bitcoin as their own solely based on the fact that their implementation is currently the most used on the BTC chain does not care any merit.
First of all, it is not guaranteed that their implementation will stay the most used and second it is not even a given that this metric is the correct one to use in the first place.

Bitcoin is more than just the name of a repository on GitHub.
It is an idea, an economic system, multiple competing implementations and parties and above all it is decentralized.
This has let to many people owning the bitcoin name in various ways.

bitcoin.org is owned by Cobra
bitcointalk.org is owned by Theymos
/r/bitcoin is owned by Theymos
bitcoin.com is owned by Roger Ver
/r/btc is owned by Roger Ver
bitcoincore.org is owned by the Bitcoin Core team
github.com/bitcoin is owned by the Bitcoin Core team
bitcoinknots.org is owned by Luke Dash-Jr
gitlab.com/bitcoin is owned by Luke Dash-Jr
bitcoin Debian packages are owned by the Debian Cryptocoin team (and other individuals)
bitcoin the snap is owned by Gal Buki

The only one person who would have the right to dispute a "namesquatting" and claim the bitcoin name for all of the above would be Satoshi Nakamoto.

For what it's worth the Bitcoin Core team is doing their fair share of namesquatting the bitcoin name by owning the name on GitHub to keep their implementation (called Bitcoin Core) under this name and giving the impression that they are Bitcoin.

Revision history for this message
Russell Yanofsky (ryanofsky) wrote :

I can't speak for anyone else, but personally I'd be thrilled if Gal Buki is interested in maintaining the bitcoin snap. I just think the snap needs to pull from a repository like https://github.com/bitcoin-core/packaging which is associated with the bitcoin project and gets review from regular bitcoin contributors, rather than a personal repository like https://github.com/torusJKL/blockchain-snaps that isn't getting review. My concerns are only about review and transparency, and avoiding having to trust one person to not insert backdoors.

I created https://github.com/bitcoin-core/packaging/pull/9 to enable transfering the snap. But Gal, I'd happily abandon this if you want to submit your own pull requests. Your contributions are welcome and appreciated.

Revision history for this message
Matt Corallo (bluematt) wrote :

I think maybe this issue has gotten somewhat confused, "namesquatting" is maybe less descriptive than it should be. This has nothing to do with Gal or some Bitcoin/Bitcoin Cash spat. The question is ultimately around who can upload what. Ideally snapcraft could pull from github/bitcoin-core/packaging automatically for Bitcoin Core packaging without requiring any single individual's machine be responsible for that process (not sure if that's possible?), but, failing that, having someone who is actively involved in a project/reasonably trusted by the project's maintainers should be the only one allowed to upload builds for any given cryptocurrency project.

Revision history for this message
Gal Buki (torusjkl) wrote :

Russell, I appriciate your iniciative and the feedback Matt has given on the pull request.
This has moved to a healthy discussion without accusations and I'm happy to weight the pros and cons.
I will get back to you.

Revision history for this message
Wieland Gmeiner (wielandgmeiner) wrote :

Gal Buki, can you clarify

1) What software exactly you provide with the name "bitcoin" under the "bitcoin" namespace on snap you own.
2) Why you don't properly label it and provide a link to the project page of the software you package there.

Thanks.

Revision history for this message
Russell Yanofsky (ryanofsky) wrote :

Wieland, as far as we know the current bitcoin snaps are pointing at releases built from the https://github.com/bitcoin/bitcoin repository, but we don't currently have a good way to verify this. We are working with the snap security team to add new snaps from https://github.com/bitcoin-core/packaging/blob/master/snap/snapcraft.yaml and have better ways to verify in the future.

I haven't seen any improperly labeled snaps myself, though they might have existed in the past. If they did, that was obviously a bad mistake that we want to avoid repeating.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers