← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #09345

[Bug 835147] Re: User switching can be used to hijack a desktop user and steal passwords

  Thread PreviousDate PreviousThread Next 
** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-screensaver in Ubuntu.
https://bugs.launchpad.net/bugs/835147

Title:
  User switching can be used to hijack a desktop user and steal
  passwords

Status in “gnome-screensaver” package in Ubuntu:
  New

Bug description:
  This is reproducible in all modern versions of Ubuntu, including
  Oneiric.

  1) login to your user from GDM. 
  2) Choose Switch from Your user in the user menu.
  3) Login as another user from the display manager.  
  4) press alt+ctrl+f7 to get access to the first user. 
  5) press alt+ctrl+f8 to get access to the second user. 

  Observe that you are not asked for a password. This can be exploited
  to hijack a desktop and steal a users password. If you lock your
  screen manually, then other users will have to enter the password to
  unlock the screen, but otherwise not. This should be possible to
  exploit. Consider an office environment with shared computers.

  You log into a desktop and choose to not lock your desktop
  automatically. You then choose to switch to another user and DM is
  displayed, allowing a new user to log in with very few visual clues
  that you're already logged in and even if the user notices, it's
  doubtful that he'll consider that a security issue.

  When your target user has logged onto his desktop, you run a command
  to switch to your own desktop where you display a dialog that looks
  exactly like gnome-screensaver looks like when the screen is locked,
  including the targets user name. If you time it correctly, then the
  target won't even notice that anything is wrong and he'll enter his
  password into your application. Your program checks if the password is
  correct. If it is, then you log the time, username and password.

  Now you will just switch back to the other users desktop again. First
  you will check if the users desktop is locked. If it is, then you will
  simply display an identical error message that the password is
  incorrect and then switch to the desktop, which would then present the
  real unlock screen. The user would simply believe he'd entered the
  password wrong. He enters it again, the desktop is unlocked and
  everything is fine. Or you could just unlock the screen, now that you
  have the username and password, but that would probably get logged.

  This is what you would perceive as a user:

  1) The screen is locked when you didn't expect it to be.
  Possibly also: 
  2) You thought you entered your password correctly the first time, but you obviously didn't. When you entered it again, then it worked as it should. 

  Would you report that incident to the network admins? I wouldn't. It
  is quite possible that a stressed admin wouldn't even understand the
  situation if he did have a look at it. "If you switch to UserA, then
  gnome-screensaver asks to unlock the desktop for UserB?". Odd, but a
  reboot fixes it.

  You could automate this, of course, so that over time, you could grab
  the passwords of any user who logs onto that desktop. This could be
  done over the network without requiring any special privileges and on
  most networks, a username and a password is all that is required to do
  some real damage.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/835147/+subscriptions
  Thread PreviousDate PreviousThread Next