The LinuxFX Data Leak, as a LinuxFX user

Cover #software #news

LinuxFX, a commercial Linux distribution designed to mimic Microsoft Windows' desktop and user experience, has been hit with a data leak, which revealed that the OS collects the users' IP addresses and geodata. Here is my opinion on the matter as a LinuxFX user.

My experience with LinuxFX

I first used LinuxFX on 24th September 2021. I've installed it into my sister's laptop, as she was familiar with Microsoft Windows, didn't really need any Windows-specific app that couldn't be emulated with Wine, and wanted her computer to run more smoothly.

I thought LinuxFX could be the solution to leave my sister with a fast OS that could accommodate all her needs and didn't need much maintenance. And so far, LinuxFX has done a good job at it. Being based on Ubuntu, the OS is very stable and has worked without issues for months. However, at least one user reportedly had to reinstall the OS several times after upgrades.

The emulation of Windows software is what one would expect, that is to say, not perfect, and I did have to get my hands dirty with PlayOnLinux and its config to install a working version of Microsoft Office. In this sense, the promised “advanced compatibility” did little, but it could be useful for other use cases.

I've found the other LinuxFX features are pretty useless. For example, the promised Dropbox compatibility is horrible to use, feels very sketchy and unpolished, and crashes when I try to log in (and now I wonder where the hell my credentials are). I haven't used Helloa, the virtual assistant-Cortana-ripoff-thing since it's just using Google Assistant's API.

So I left it as it was – My sister regularly uses the computer without issues. She doesn't care about it not being fully open source and is overall happy.

And then, the security breach

Some software used for LinuxFX license validation has been found vulnerable by user Satya Nutella from Kernal. The main security method used by the software was security through obscurity, which is known to be very exploitable. In this case, it didn't take much time to find out that the software connects client-side to a MySQL server on a remote server, and after sniffing the connection, Satya was able to get the database's password and dump it.

In simpler words, here's what the LinuxFX program does: Flow chart of how LinuxFX communicates with the database The client (your computer) sends to the database (on a remote server) the information it's made to store and is forced to attach authentication to log into the database.

Here's how most other software does it – aka the correct way: Flow chart of how LinuxFX should communicate with the database The client sends a request to a non-authenticated API endpoint (on a remote server), then the server itself, which acts as a middleman, attaches authentication information to access the database. This way, the client doesn't need to know the database's credentials, which could be used to edit or dump the database.

For a more detailed explanation of how the vulnerability was found, I recommend reading the original post, which goes into much greater detail.

Anyone who has ever developed any kind of software should be aware that the first way is extremely dangerous. In my opinion, it's a major concern, because seeing how little the developer seems to care about the security makes me wonder what other kinds of vulnerabilities are hidden under more layers of security through obscurity that will eventually be bypassed.

It doesn't look like the developer wants to improve, either. After a supposed patch, Satya Nutella was able to find another vulnerability within days.

The developer's response

What worries me the most is how the developer is treating the situation, aka with absolutely no respect and no will to admit his mistakes. Kernal's posts indeed attack LinuxFX very sharply, forgetting all the good and only focussing on the bad, but this doesn't excuse a total lack of professionality in addressing the issue.

As soon as the vulnerability was discovered, Rachid (LinuxFX's developer) revoked the database's credentials and submitted a patch. The new version was found to be vulnerable as well, as described earlier.

There is currently no patch for the new exploit, but the credentials have been revoked again. What is worrying is that the developer has changed the URLs which previously hosted the database's credentials (in plain text) to display fake credentials that make fun of the Kernal collective:

Flow chart of how LinuxFX communicates with the database

“kernalisdumb” and “kernalislammer”? Sorry bud, but “lamer” is written with a single “m”, and a member of that group found two vulnerabilities in your software. This is a terrible attitude towards (partially) constructive feedback. When you realize that he's releasing commercial software that actual people pay for, it becomes ridiculous quick.

He seems to be stigmatizing the issue as well in his Telegram support groups.

On 29th May 2022, Rachid wrote (translated): > Hi group. I was out because I was developing an API for Linuxfx communication. The system is currently in listening mode with all resources released. We hope to return on Monday or Tuesday with the serial system working normally. The problem we had does not affect users and has nothing to do with the system itself. This only affects wxdesktop. I'm available on WhatsApp at 0800 881 3000 in case anyone has any questions. Thanks

Some issues right out the gate: – “The problem we had does not affect users” – Your users' IP addresses and geodata were leaked to an undefined amount of people. How does this not affect users? – “The problem we had [...] has nothing to do with the system itself” – Yes, it's true that it's a problem with WXDesktop, which is LinuxFX's additional software, but it comes preinstalled with LinuxFX, and it's a big part of why users get the OS in the first place.

Shortly after that, he wrote (translated): > I've been in contact with several channels and we've come to the conclusion that the Distrotube channel is chasing us, exposing undue information on YouTube and increasing the effect of what happened.

This references the two videos made by DistroTube, a popular Linux YouTuber, about the data leak. While it's true that Derek was very harsh to LinuxFX and could have been more constructive, nothing he said is necessarily incorrect. Actually, without his video popping up in my LibreTube feed, I would never have noticed the issue, which would have been worse.

In conclusion

I don't think LinuxFX deserves trust anymore. The developer has demonstrated to be unprofessional, arrogant, and unable to patch the simplest vulnerabilities.

The original idea was a great one – helping new users migrate to Linux with a familiar look and apps (even if they were closed source), but I can't excuse how the developer is treating the situation.

The LinuxFX experience may seem appealing to someone who wants a stable computing experience for a relative and doesn't want to spend hours configuring the desktop environment to look like Windows'.

But all things considered, I would now opt for a non-commercial alternative. Just go with something like Ubuntu-based Zorin OS (the free version is good enough), which is close to Windows. If you really want an almost 1:1 experience like LinuxFX's, you can try TwisterOS which has some themes made to look like Windows.