Ubuntu
unity package

Password typed to unlock the screen is sent to the Chrome window if it had a text selection

Bug #1345505 reported by James Hunt
296
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Unity
In Progress
Critical
Marco Trevisan (Treviño)
Unity 7.3.1
unity (Ubuntu)
In Progress
High
Marco Trevisan (Treviño)

Bug Description

When my machine comes out of suspend, I am shown the unity lockscreen. However, occasionally I am unable to enter my password since the password box is not given focus. Clicking with the mouse in the password box also doesn't help.

I've found that clicking the settings cog (top right) twice allows me to regain control of the focus and enter my password.

Aside from the inability to enter my password in the password box, it seems that simply typing my password (or in fact any text) results in those keystrokes being passed to the full-screen window *behind* the greeter. This should not be possible and is a security issue: imagine if my full-screen console was connected to a remote shared session, or was running an irc client, etc.).

ProblemType: BugDistroRelease: Ubuntu 14.10
Package: lightdm 1.11.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.16.0-4.9-generic 3.16.0-rc5
Uname: Linux 3.16.0-4-generic x86_64
ApportVersion: 2.14.4-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Jul 20 09:08:47 2014
InstallationDate: Installed on 2014-04-11 (99 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140409)SourcePackage: lightdm
UpgradeStatus: Upgraded to utopic on 2014-05-08 (72 days ago)

See original description
Revision history for this message
James Hunt (jamesodhunt) wrote :
information type: Public → Public Security
Revision history for this message
Robert Ancell (robert-ancell) wrote :

It's actually unity showing a lock screen here, reassigning.

affects: lightdm (Ubuntu) → unity (Ubuntu)
summary: - lightdm leaks keystrokes to window "behind" greeter
+ lock scren leaks keystrokes to window "behind" greeter
Sebastien Bacher (seb128)
tags: added: lockscreen
James Hunt (jamesodhunt)
summary: - lock scren leaks keystrokes to window "behind" greeter
+ lock screen leaks keystrokes to window "behind" greeter
Revision history for this message
James Hunt (jamesodhunt) wrote : Re: lock screen leaks keystrokes to window "behind" greeter

I've found a way to trigger this without needing to suspend (which hopefully will make it easier to debug :-)...

1) Open a terminal.
2) Run: "sleep 5 && gnome-terminal --maximize"
3) Quickly (before 5 seconds has elapsed), press "CTRL+l" to lock the screen.
4) Don't touch keyboard or mouse for about 10 seconds to give the lock screen time to dim the screen to black.
5) *Before* the cursor disappears (normally happens about 2 seconds after the screen is fully black), tpe random characters or hold down a key continually until the lock screen is displayed again.
6) Either delete the characters in the password box and reenter you actual password, or press return and enter you actual password.
7) Observe that the maximised gnome-terminal that is now revealed shows atleast a subset of the keys you typed when the screen was locked.

Marco Trevisan (Treviño) (3v1n0)
Changed in unity:
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Revision history for this message
David Overcash (funnylookinhat) wrote :

This seems to happen most frequently with Google Chrome and Chromium - or at least, they're two easy culprits to identify. :)

Seems related to the following:
https://bugs.launchpad.net/unity/+bug/1305586

I'm not sure if the fix in that bug is what caused this or if another issue arose elsewhere.

Marco Trevisan (Treviño) (3v1n0)
description: updated
Marco Trevisan (Treviño) (3v1n0)
Changed in unity:
milestone: none → 7.3.1
Vincent Thiele (vincentthiele)
tags: added: trusty
Revision history for this message
Margarita Manterola (marga-9) wrote :

I'm affected as well, and I've been only able to reproduce with Chrome 35 or later. I tried several other applications and was not able to reproduce. Including Firefox, gnome-terminal and Chrome 34.

Also, it only happens on Unity, other desktop environments are not affected.

I tried 3 different versions of compiz (the latest one, the one before that and the original from trusty) and I could reproduce with all of them, although the behavior is not exactly the same.

The reproduction case that I found most successful is locking the screen with Ctrl-Alt-L while having some text selected on the Chrome window, for example the location bar. So:
1) Open Chrome 35 or later (current stable is 36)
2) Ctrl-L to select the location bar
3) Ctrl-Alt-L to lock the screen

After that, any characters I type while the lockscreen is dimming are sent through to Chrome.

summary: - lock screen leaks keystrokes to window "behind" greeter
+ Password typed to unlock the screen is sent to the Chrome window that
+ was in focus
Revision history for this message
Margarita Manterola (marga-9) wrote : Re: Password typed to unlock the screen is sent to the Chrome window that was in focus

I downgraded unity's packages to the previous version (7.2.1+14.04.20140513-0ubuntu2) and with that version I'm no longer able to reproduce the problem.

The changelog of the current version (7.2.2+14.04.20140714-0ubuntu1) includes lots of screensaver changes, including changes related to the clipboard.

Clearly, some of those changes don't interact well, at least with Chrome 35 and above, I haven't been able to reproduce with any other programs.

Margarita Manterola (marga-9)
summary: - Password typed to unlock the screen is sent to the Chrome window that
- was in focus
+ Password typed to unlock the screen is sent to the Chrome window if it
+ had a text selection
Marco Trevisan (Treviño) (3v1n0)
Changed in unity:
status: New → Triaged
importance: High → Critical
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Marco Trevisan (Treviño) (3v1n0)
Changed in unity (Ubuntu):
status: Confirmed → In Progress
Marco Trevisan (Treviño) (3v1n0)
Changed in unity:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.