Package: gdm3 Version: 3.14.1-7 Tags: security Hi,
The alt menu that allows the password in the login screen to be unmasked is still available after the user has submitted its credentials when pressing the "login" button. This could allow an opportunistic attacker to unmask the user's password. This could be possible whenever the pam stack or any of the seat handling code takes a while to do its thing (think of network connectivity issues, some software component failing, etc). In some of these cases it is not even possible for the user to "abort" the login process, further increasing the feasibility of this attack. It would be best if the password was cleared from the field as soon as the login event was triggered. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net