User Beware: The Fine Line Between Content And Code

Everyone loves themes. Doesn’t matter if it’s a text editor or a smart display in the kitchen, we want to be able to easily customize its look and feel to our liking. When setting up a new device or piece of software, playing around with the available themes may be one of the first things you do without giving it much thought. After all, it’s not like picking the wrong one is going to do something crazy like silently delete all the files on your computer, right?

Unfortunately, that’s exactly what happened a few days ago to [JeansenVaars] while trying out a Plasma Global Theme from the KDE Store. According to their Reddit post, shortly after installing the “Gray Layout” theme for the popular Linux graphical environment, the system started behaving oddly and then prompted for a root password. Realizing something didn’t seem right they declined, but at that point, it was already too late for all of the personal files in their home directory.

More Than Meets the Eye

So what happened? There remains some debate about exactly what caused things to go sideways, but one thing seems clear: the theme wasn’t designed to be malicious. While admittedly not very highly rated on the KDE Store, it still had nearly 3,800 downloads when [JeansenVaars] installed it, and we would have heard by now if all those folks had their home directories wiped out. A few Reddit users poked around in the source for “Gray Layout”, and found some potentially troubling lines, such as this one:

rm -Rf "$configFolder"

The troubled theme has since been removed.

This would certainly trigger a Bad Day depending on the value of $configFolder, but despite looking scary, others pointed out that this line actually comes from an upstream project and that there’s no obvious way this command could be directed towards the entire filesystem given the way the string was pieced together elsewhere in the code. But it was also noted that the theme in question was designed for an older version of KDE Plasma, and that there could be some weirdness going on there. Ultimately, it looks like [JeansenVaars] was just unlucky enough to stumble into an edge case somewhere.

But wait…you’re probably wondering why a graphical theme is running code in the first place. Surely a theme shouldn’t be responsible for anything more than changing some colors around and maybe swapping out the style of your title bars.

Well, you’d think so. It turns out that these so-called “Global Themes” actually have the ability to change pretty much the entire desktop experience, which includes installing new software components and running Bash scripts. Mix that with the ability for users to create and upload these themes for others, and you’ve got a recipe for trouble — intentional or otherwise.

Safety Not Guaranteed

In response to the Reddit discussion, the official KDE Mastodon account made a post which basically said they didn’t want any responsibility for the issue. After pointing out that Global Themes are created by the community, they go on to explain that by design they are able to run arbitrary code without warning. Given the security implications of this, the KDE team recommends users “exercise extreme caution” when downloading said content from the Store.

A few minutes later, the account made another post encouraging users to use the “Report” button in the KDE Store so they could “locate and quarantine defective software” as quickly as possible. The implication is clear: they don’t have the resources or methods to actually vet community-developed content as it comes in, so the users will have to do the leg work for them.

It’s a problem we’ve seen before with similar distribution platforms, such as Python’s PyPi and JavaScript’s NPM. Once you allow users to upload whatever they wish to a repository, it’s only a matter of time before somebody abuses the system. In the case of PyPi and NPM it’s usually in the form of “typo-squatting”, where malicious software is uploaded under a misspelled version of a popular package’s name. It the attacker is clever, they can even duplicate the functionality of the real package — with a nasty “feature” or two added in, naturally.

Hit the wrong key while typing out the name of the software you want to install, and you could end up getting yourself in a bad situation without even realizing it. Better moderation could nuke these named-alike packages before they ever go public, but that takes time and energy that open source projects don’t always have available.

Of course, the key difference here is that you don’t have to make a mistake to download a malicious KDE Global Theme. An attacker just needs to hide some insidious functionality in an otherwise attractive theme, and users would download it willingly.

What’s in a Name?

In response to the ongoing debate, KDE developer David Edmundson posted an article to his blog entitled Trusting content on the KDE Store. In it, he explains that the ability for Global Themes to execute arbitrary code is necessary, and can’t realistically be limited without reducing functionality. Rather than a technical issue, David believes this is more of a communication problem.

As he sees it the real issue is that users don’t expect something called a theme to be able to run code on their machine, and as such, don’t approach them with the same caution they would normal software packages. He believes a clearer indication that installing a Global Theme might make unexpected changes to your system would help differentiate them from more traditional “dumb” themes.

Long term, David says the KDE Store should have a separate section for anything that has the ability to run code on the user’s computer. So in other words, a theme that’s capable of installing new packages wouldn’t be listed alongside a pack of simple wallpapers. Even farther out, he says they’ll need to look into ways of auditing user-submitted content, as well as improve their sandboxing to limit what themes and plugins are actually able to do.

Frankly, it all sounds like a nightmare to us. We’re not in the business of telling folks what to do with their computers, but at least for the time being, we’d probably steer clear of any KDE Global Themes.