https://bugs.kde.org/show_bug.cgi?id=422421
Bug ID: 422421
Summary: previous password attempts easily seen by 3rd party
Product: kscreenlocker
Version: unspecified
Platform: Neon Packages
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: kdebugrep...@mailinator.com
CC: bhus...@gmail.com
Target Milestone: ---
SUMMARY
Security issue on login screen, where a 3rd party can see previous attempts of
user provided password
STEPS TO REPRODUCE
1. Enter password (intentionally make a typo), submit, making it invalid
2. Delete a few characters using backspace, submit, making it invalid
3. Now, delete the whole password, submit, making it invalid
OBSERVED RESULT
Let's say you've connected to your workstation remotely over Teamviewer,
and in the midst of invalid tries, your internet connection breaks and you
(albeit temporarily) lose access to your workstation.
Someone who has physical access to your machine, comes, tickes the 'eye' icon
on the login input,
and by hitting CTRL+Z multiple times sees all your login attempts, easily
figuring typos and gaining access to
the system (also now knowing your root password).
Even if you didn't connect remotely, after a few invalid logins you walk away
from the workstation,
the same could happen.
Only way to remove "password history" is to successfully login and then log
back out.
EXPECTED RESULT
After invalid login attempt, the password should be blank, or 'password reveal'
functionality should be disabled.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma:
KDE Plasma Version: 5.18.5
KDE Frameworks Version: 5.70.0
Qt Version: 5.14.2
--
You are receiving this mail because:
You are watching all bug changes.
