touch-packages team mailing list archive

[Alexander Sack <asac@xxxxxxxxxx>]

Public bug reported:

on todays image (krillin rtm-proposed r21) with ONLY auto suggest
language option on I get:

13:57 < asac> 1. kill terminal
13:57 < asac> 2. open terminal and enter pin
13:57 < asac> 3. click in terminal pastes my pin :)

obviously not good for security. Think might be bad.

Seems its not getting to dictionary at least:

13:58 < asac> 4. /me uses backspace to delete
13:58 < asac> 5. type ls
13:58 < asac> 6. type first digit of pin -> does not suggest my pin

This doesn't happen if I turn auto suggestion off. Not sure if the paste
is what doesn't happen or the clipboarding doesn't happen. Surely
important to check out and know for sure.

We should check other credential prompts too: pin lock screen, sim pin
etc.

Haven't tried, but I assume UITK password fields and browser dont have
that, but might be worth checking.

Thanks!

** Affects: ubuntu-keyboard (Ubuntu)
     Importance: Critical
         Status: New


** Tags: rtm14

** Description changed:

- on todays image (krillin rtm-proposed r21)
+ on todays image (krillin rtm-proposed r21) with ONLY auto suggest
+ language option on I get:
  
- 13:57 < asac> 1. kill terminal 
+ 13:57 < asac> 1. kill terminal
  13:57 < asac> 2. open terminal and enter pin
  13:57 < asac> 3. click in terminal pastes my pin :)
  
  obviously not good for security. Think might be bad.
  
  Seems its not getting to dictionary at least:
  
  13:58 < asac> 4. /me uses backspace to delete
  13:58 < asac> 5. type ls
  13:58 < asac> 6. type first digit of pin -> does not suggest my pin
  
- we should check other credential prompts too: pin lock screen, sim pin
+ This doesn't happen if I turn auto suggestion off. Not sure if the paste
+ is what doesn't happen or the clipboarding doesn't happen. Surely
+ important to check out and know for sure.
+ 
+ We should check other credential prompts too: pin lock screen, sim pin
  etc.
  
  Haven't tried, but I assume UITK password fields and browser dont have
  that, but might be worth checking.
  
  Thanks!

** Changed in: ubuntu-keyboard (Ubuntu)
   Importance: Undecided => Critical

** Tags added: rtm14

** Summary changed:

- auto suggest seems to copy credentials into clipboard
+ security issue? auto suggest seems to copy credentials into clipboard

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyboard in Ubuntu.
https://bugs.launchpad.net/bugs/1366314

Title:
  security issue? auto suggest seems to copy credentials into clipboard

Status in “ubuntu-keyboard” package in Ubuntu:
  New

Bug description:
  on todays image (krillin rtm-proposed r21) with ONLY auto suggest
  language option on I get:

  13:57 < asac> 1. kill terminal
  13:57 < asac> 2. open terminal and enter pin
  13:57 < asac> 3. click in terminal pastes my pin :)

  obviously not good for security. Think might be bad.

  Seems its not getting to dictionary at least:

  13:58 < asac> 4. /me uses backspace to delete
  13:58 < asac> 5. type ls
  13:58 < asac> 6. type first digit of pin -> does not suggest my pin

  This doesn't happen if I turn auto suggestion off. Not sure if the
  paste is what doesn't happen or the clipboarding doesn't happen.
  Surely important to check out and know for sure.

  We should check other credential prompts too: pin lock screen, sim pin
  etc.

  Haven't tried, but I assume UITK password fields and browser dont have
  that, but might be worth checking.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyboard/+bug/1366314/+subscriptions