** Description changed: + OS: Ubuntu 11.10 amd64 with gnome-classic session. I've found that most of user authentication programs that used in Ubuntu is pkexec. The problem is that this program do not lock the keyboard (while gksu does). For example, the program xneur (analog of puntoswitcher) can log keystrokes. And when I turn on this option, I found my password used to authenticate applications in this log (this password can be used to get access to root). + + Steps to reproduce + 1) XNeur used as keylogger, but version in Ubuntu repository don't work correctly. + I used xneur from repository of it's authors + ppa:andrew-crew-kuznetsov/xneur-stable + Start xneur with command: "gxneur" + 2) Enable keylogging: + 2.1) Click with second mouse button at xneur icon in system tray to get popup menu and click Preferences + 2.2) Go to tab called "log" and check "Enable keyboard logging", then press "OK" + 2.3) Logfile is accessible in "$HOME/.xneur/xneurlog.html" (I use firefox to view this log) + 3) Launch application that use pkexec: + 3.1) "synaptic-pkexec" write Your password, then hit "Enter" + 3.2) "gnome-control-center --overview" go to "User accounts" and press "Unlock", write Your password, then hit "Enter" + 4) Ckeck out log file "$HOME/.xneur/xneurlog.html". My password is there.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/917612 Title: Easy keylogging of user password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/917612/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs