Teracopy package hijacked? Is it really this easy to take control of a package?

[nothsa]

In PR #20548, it looks like the Teracopy install URL has been changed from the official one (https://www.codesector.com/files/teracopy.exe) to some BackBlaze B2 bucket (https://codesector.s3.us-west-000.backblazeb2.com/teracopy.exe). The SHA for the EXE currently matches the official one, but it could be changed at any point by whoever controls the bucket.

This feels like a major security risk, where anyone can submit a PR to change the install URL of a package, and any user that runs a winget upgrade on a package that was installed from the official install URL, could receive a malicious update. Am I missing something here?

[nothsa]

Thanks for the detailed response! I'm still new to winget and didn't realize that there was going to be a logical separation between the MS store and community repos, and that the MS Store would be the default with community being opt-in. That alleviates most of my concerns for layman users.

I would still love to see an indication/warning that the installer source has changed if you're upgrading an already-installed package (at minimum when there's domain changes), and show the URL of the new installer. If (as you indicated) you're manually checking hashes against the application's official source then this is less of an issue, but that seems like manual validation would become unmanageable once there are thousands of apps in the community repo (though maybe I'm wrong about that 🙂).

As a side note regarding automated scanners/antivirus, as great as they are, we shouldn't be relying on them completely to catch anything malicious. It's easy to think of a number of malicious actions that automated systems wouldn't catch. E.g. a Teracopy where every copy/move action is redirected to the delete action. Or an Irfanview that adds a watermark to every image you save and deletes the original. Again, if the manual validation of the hashes from the official sources continues then this isn't a problem, I'm just concerned what would happen if/when those manual hash validations stop.

[vedantmgoyal9]

I work at Microsoft as a contractor - blue badge as an intern and then stepped down to an orange badge as a contractor

Can you please explain more about this?

Microsoft is most likely using private APIs for all of this (with perhaps help from other companies, i.e. Google's malicious URLs database, but that's hard to tell because the pipelines are closed source), especially when there's billions of users using Windows, the virus definitions and security gets better over time.

cc @jedieaston, is this the reason that the pipelines and @wingetbot aren't open-sourced😁?

[cjwijtmans]

I think a hash alone is not sufficient for security. Perhaps a parity file would be better.