https://bugs.kde.org/show_bug.cgi?id=422421
Bug ID: 422421 Summary: previous password attempts easily seen by 3rd party Product: kscreenlocker Version: unspecified Platform: Neon Packages OS: Linux Status: REPORTED Severity: critical Priority: NOR Component: general Assignee: plasma-b...@kde.org Reporter: kdebugrep...@mailinator.com CC: bhus...@gmail.com Target Milestone: --- SUMMARY Security issue on login screen, where a 3rd party can see previous attempts of user provided password STEPS TO REPRODUCE 1. Enter password (intentionally make a typo), submit, making it invalid 2. Delete a few characters using backspace, submit, making it invalid 3. Now, delete the whole password, submit, making it invalid OBSERVED RESULT Let's say you've connected to your workstation remotely over Teamviewer, and in the midst of invalid tries, your internet connection breaks and you (albeit temporarily) lose access to your workstation. Someone who has physical access to your machine, comes, tickes the 'eye' icon on the login input, and by hitting CTRL+Z multiple times sees all your login attempts, easily figuring typos and gaining access to the system (also now knowing your root password). Even if you didn't connect remotely, after a few invalid logins you walk away from the workstation, the same could happen. Only way to remove "password history" is to successfully login and then log back out. EXPECTED RESULT After invalid login attempt, the password should be blank, or 'password reveal' functionality should be disabled. SOFTWARE/OS VERSIONS Linux/KDE Plasma: KDE Plasma Version: 5.18.5 KDE Frameworks Version: 5.70.0 Qt Version: 5.14.2 -- You are receiving this mail because: You are watching all bug changes.