[Expired for unity (Ubuntu) because there has been no activity for 60
days.]
** Changed in: unity (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity in Ubuntu.
https://bugs.launchpad.net/bugs/1351113
Title:
password input box after suspend/resume was not focused but looked
like it was; keyboard input was being intercepted by another window
Status in Unity:
Expired
Status in “unity” package in Ubuntu:
Expired
Bug description:
This is a HUGE SECURITY ISSUE.
I suspended, then I resumed.
Upon resume, I was presented the usual screen where you have to insert
the password to unlock the screen.
The password input box had a blinking cursor, as expected.
I tried to type the password but it appeared to be not responding to
keystrokes (from an external usb keyboard), meaning the usual dots would not
appear at every keystroke.
I thought the external usb keyboard was not working (due to another
known bug) so I plugged it to another port, with no luck.
So I tried to use the builtin keyboard of the laptop, but it wouldn't
(apparently) respond to keystrokes either.
So I clicked with the mouse on the language selection indicator in the
upper right corner of the screen, and selected the (unique and already
selected) language: spanish. A posteriori I think this was irrelevant.
What I guess was relevant is that I gave focus to anything other than
the password input box and then clicked on the password input box
again.
So now it worked and I could type my password and unlock the screen.
AND HERE'S THE TERRIFYING THING: after inserting the password and
unlocking the screen, Google Chrome was the active window (because it
had been prior to suspending), and in the active tab there was
facebook open. In the status-update textarea there were all the keys
that I had been hitting when trying to input the password.
Do you realize the enormous security hazard here? If I had typed the
whole password quickly without looking at the screen and hit Enter
before realizing the keystrokes were not being intercepted by the
password input box, I could have posted my password on facebook
without seeing it. Perhaps even twice. Fortunately, I saw the
keystrokes were not being registered from the very beginning, and
reacted by repeating the first few characters several times, and then
hitting random keys, so I only typed a nonsense sequence of characters
that doesn't even remotely resemble my password and I never got to hit
the Enter key anyway.
So, to sum up the issue:
- after resume, the password input box wasn't focused and it should have been
- worse: it completely looked like it was focused, with a blinking cursor
inside, so everything looked like keyboard was not working at all
- worst of all: keystrokes were actually being intercepted by an active
application (which was not visible because the screen was locked). NOTHING that
is "behind" the locked screen should be able to intercept keystrokes or mouse
interaction, under any circumstance. If you are not seing something, that
something must be non-existent to keyboard and mouse interaction.
This is far from systematically reproducible. This is the first time I have
observed this, ever, and have no idea what triggered this. I suspend and resume
very often on a daily basis so this must be something pretty rare. Yet it is
hugely dangerous.
My very real-life case could have led to posting my password on facebook.
Imagine if the active window was a terminal and if you happen to have a funny
password such as "sudo rm -f /*"
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.2.2+14.04.20140714-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CompizPlugins: No value set for
`/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Fri Aug 1 02:40:29 2014
InstallationDate: Installed on 2013-10-11 (293 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
SourcePackage: unity
UpgradeStatus: Upgraded to trusty on 2014-05-24 (68 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1351113/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
