← Back to team overview

dx-packages team mailing list archive

[Bug 1310690] [NEW] Lock screen password field does not "capture" key press - password is disclosed in background application

 

*** This bug is a security vulnerability ***

Public security bug reported:

The new lockscreen in Ubuntu 14.04 is really nice, however I noticed (by 2 times already) that the password field doesn't "capture" the key presses sometimes. Key presses are not registered by the field and it looks like it is frozen (except by the cursor blinking). What I had to do when this happened was to wait until the tentative expires (screen goes blank) and then try again - then it worked.
However the application running in the foregroung (or background, if you consider the lockscreen is on top) received the key presses, i.e, my whole password - you can imagine the implications if it was a chat window.

I'm using 14.04, upgraded by 04/17 from 12.04 - all packages updated.

** Affects: unity (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1310690

Title:
  Lock screen password field does not "capture" key press - password is
  disclosed in background application

Status in “unity” package in Ubuntu:
  New

Bug description:
  The new lockscreen in Ubuntu 14.04 is really nice, however I noticed (by 2 times already) that the password field doesn't "capture" the key presses sometimes. Key presses are not registered by the field and it looks like it is frozen (except by the cursor blinking). What I had to do when this happened was to wait until the tentative expires (screen goes blank) and then try again - then it worked.
  However the application running in the foregroung (or background, if you consider the lockscreen is on top) received the key presses, i.e, my whole password - you can imagine the implications if it was a chat window.

  I'm using 14.04, upgraded by 04/17 from 12.04 - all packages updated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1310690/+subscriptions


Follow ups

References