← Back to team overview

dx-packages team mailing list archive

[Bug 1399502] [NEW] Lock screen can lose focus and send keystrokes to some other application

 

*** This bug is a security vulnerability ***

Public security bug reported:

I have a user that reported the unity lock screen losing focus and
sending keystrokes to the application behind it. This seems similar to
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1358504 but that
bug is marked as fixed.

In their specific case they were using chrome with google hangouts
(using chrome's google hangouts extension:
<https://chrome.google.com/webstore/detail/hangouts/nckgahadagoaajjgafhacjanaoiihapd?hl=en>)
when they locked their screen. Upon coming back they typed their
password and hit enter, but the screen did not unlock. They had to
manually click in the password field and type their password before it
would unlock. Upon unlocking they discovered that they had a hangouts
window open with a colleague and had sent their password to them (I'm
assuming during that first try when the lock screen did not unlock).

$ lsb_release -rd
Description:	Ubuntu 14.04.1 LTS
Release:	14.04

$ apt-cache policy unity
unity:
  Installed: 7.2.3+14.04.20140826-0ubuntu1.0.1

I'm currently trying to find a way to reproduce this, but haven't
managed to yet.

** Affects: unity (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1399502

Title:
  Lock screen can lose focus and send keystrokes to some other
  application

Status in unity package in Ubuntu:
  New

Bug description:
  I have a user that reported the unity lock screen losing focus and
  sending keystrokes to the application behind it. This seems similar to
  https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1358504 but that
  bug is marked as fixed.

  In their specific case they were using chrome with google hangouts
  (using chrome's google hangouts extension:
  <https://chrome.google.com/webstore/detail/hangouts/nckgahadagoaajjgafhacjanaoiihapd?hl=en>)
  when they locked their screen. Upon coming back they typed their
  password and hit enter, but the screen did not unlock. They had to
  manually click in the password field and type their password before it
  would unlock. Upon unlocking they discovered that they had a hangouts
  window open with a colleague and had sent their password to them (I'm
  assuming during that first try when the lock screen did not unlock).

  $ lsb_release -rd
  Description:	Ubuntu 14.04.1 LTS
  Release:	14.04

  $ apt-cache policy unity
  unity:
    Installed: 7.2.3+14.04.20140826-0ubuntu1.0.1

  I'm currently trying to find a way to reproduce this, but haven't
  managed to yet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1399502/+subscriptions


Follow ups

References