Gnome Desktop -- After Usermode Application Crashes, Reveals User Passwords by Pressing Ctrl+Alt+F1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnome-desktop (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
>> Intro & Trigger Conditions <<
I have seen this happen more than once, so it isn't a fluke. I am not asking for the IntelliJ/JVM crash to be solved, but am more concerned with the security issues that happen after a userspace app crash.
That said, I am unable to specifically trigger this any way other than using IntelliJ 2018.2 under Oracle JDK 1.8_181 for a significant amount of time. When it abends it may crash to the desktop, or crash Gnome completely. In either case, once that happens you get the unexpected behavior. IntelliJ is not running as root or sudo.
>> What Happens <<
Once the IntelliJ/JVM has crashed, until the system is fully rebooted any time any user logs in or unlocks the terminal, the password they type in the login/unlock UI appears in plaintext one the terminal session you don't usually see. If one pressed Ctrl+Alt+F1 that terminal screen will appear briefly, and on that terminal one can see all the passwords that any user has typed while logging in or unlocking since the crash occurred.
>> System Info <<
Ubuntu 18.04.1 LTS x64 installed clean less than 2 months ago. All hardware drivers are from the Ubuntu distribution and not a third party. IntelliJ and Oracle JDK are not from the Ubuntu repos.
Thank you,
Tom Carlisle
<email address hidden>
Here is a screen shot. Also, this screen is revealed once again briefly when the system is shut down or rebooted.