dx-packages team mailing list archive
-
dx-packages team
-
Mailing list archive
-
Message #20453
[Bug 1351113] Re: password input box after suspend/resume was not focused but looked like it was; keyboard input was being intercepted by another window
@2 not sure.
I'll restart now. By the way I've observed the issue again in the
meantime at the very next suspend/resume.
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1351113
Title:
password input box after suspend/resume was not focused but looked
like it was; keyboard input was being intercepted by another window
Status in “unity” package in Ubuntu:
New
Bug description:
This is a HUGE SECURITY ISSUE.
I suspended, then I resumed.
Upon resume, I was presented the usual screen where you have to insert
the password to unlock the screen.
The password input box had a blinking cursor, as expected.
I tried to type the password but it appeared to be not responding to keystrokes (from an external usb keyboard), meaning the usual dots would not appear at every keystroke.
I thought the external usb keyboard was not working (due to another
known bug) so I plugged it to another port, with no luck.
So I tried to use the builtin keyboard of the laptop, but it wouldn't
(apparently) respond to keystrokes either.
So I clicked with the mouse on the language selection indicator in the
upper right corner of the screen, and selected the (unique and already
selected) language: spanish. A posteriori I think this was irrelevant.
What I guess was relevant is that I gave focus to anything other than
the password input box and then clicked on the password input box
again.
So now it worked and I could type my password and unlock the screen.
AND HERE'S THE TERRIFYING THING: after inserting the password and
unlocking the screen, Google Chrome was the active window (because it
had been prior to suspending), and in the active tab there was
facebook open. In the status-update textarea there were all the keys
that I had been hitting when trying to input the password.
Do you realize the enormous security hazard here? If I had typed the
whole password quickly without looking at the screen and hit Enter
before realizing the keystrokes were not being intercepted by the
password input box, I could have posted my password on facebook
without seeing it. Perhaps even twice. Fortunately, I saw the
keystrokes were not being registered from the very beginning, and
reacted by repeating the first few characters several times, and then
hitting random keys, so I only typed a nonsense sequence of characters
that doesn't even remotely resemble my password and I never got to hit
the Enter key anyway.
So, to sum up the issue:
- after resume, the password input box wasn't focused and it should have been
- worse: it completely looked like it was focused, with a blinking cursor inside, so everything looked like keyboard was not working at all
- worst of all: keystrokes were actually being intercepted by an active application (which was not visible because the screen was locked). NOTHING that is "behind" the locked screen should be able to intercept keystrokes or mouse interaction, under any circumstance. If you are not seing something, that something must be non-existent to keyboard and mouse interaction.
This is far from systematically reproducible. This is the first time I have observed this, ever, and have no idea what triggered this. I suspend and resume very often on a daily basis so this must be something pretty rare. Yet it is hugely dangerous.
My very real-life case could have led to posting my password on facebook.
Imagine if the active window was a terminal and if you happen to have a funny password such as "sudo rm -f /*"
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.2.2+14.04.20140714-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Fri Aug 1 02:40:29 2014
InstallationDate: Installed on 2013-10-11 (293 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
SourcePackage: unity
UpgradeStatus: Upgraded to trusty on 2014-05-24 (68 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1351113/+subscriptions