A critical vulnerability in Canonical's Snap Store allows attackers to hijack abandoned Linux applications by purchasing expired domains. This method enables malicious updates to be pushed automatically to users' systems. The issue was highlighted in an analysis by former Canonical engineer Alan Pope.
In the open-source world of Linux package management, a subtle yet dangerous flaw has emerged in the Snap Store, Canonical's platform for distributing Ubuntu applications. Attackers exploit expired domains linked to abandoned projects, using them to seize control of publisher accounts without breaching the store's servers directly. This 'zombie domain' threat turns the trust-based system into a vector for malware distribution, as detailed in a recent exposé by Alan Pope, a former engineering manager and developer advocate at Canonical. An earlier report had incorrectly credited the work to Daniele Procida, now a director of engineering at Canonical, but the analysis and original blog post belong to Pope. Published on January 27, 2026, the findings reveal how the Snap packaging format's metadata, specifically the public contact email in the snap.yaml file, becomes a weak point. When developers abandon projects, their domains lapse, creating opportunities for bad actors to register them cheaply—often for under $10—and set up email handlers to intercept password reset tokens from the Snap Store. With account access secured, attackers can upload malicious updates that install silently via the platform's automatic background updates, potentially granting root privileges or enabling activities like cryptomining and data theft. This approach hijacks authentic applications rather than mimicking them through typo-squatting, amplifying the risk in enterprise settings reliant on Snaps for servers and desktops. Pope's work underscores the low barrier to entry for such attacks, with simple tools available to scan the store for vulnerable domains. The vulnerability persists due to static verification processes, where 'verified publisher' badges remain even after domain ownership changes, eroding user trust. Similar issues plague repositories like NPM and PyPI, but Snap's direct tie between public emails and account recovery makes it especially susceptible. The snap info command further aids attackers by openly displaying contact details, prioritizing transparency over security. To counter this, experts advocate for ongoing publisher verification and masking of email addresses, though such reforms would demand major platform overhauls. Until addressed, users must manually verify software sources, undermining the convenience of automated updates. This case illustrates broader challenges in securing software supply chains, where digital identities hinge on mundane factors like domain renewals.
