[SecurityRoadmap] Locked screen shows the desktop

Bug #390989 reported by Johan Ryberg
430
This bug affects 30 people
Affects Status Importance Assigned to Milestone
GNOME Screensaver
Expired
Critical
gnome-screensaver (Ubuntu)
Fix Released
Low
Unassigned
Nominated for Jaunty by Johan Ryberg

Bug Description

Ubuntu 9.04

When I lock the screen and arrives the next day, when I touch the keyboard and wakes the screen to enter my password an image of the desktop is shown under a very short period of time before the password prompt is shown.

If someone has a camera it's possible to take a photo of the screen of how it looked just before it was locked.

I'm using dual screen and a Nvidia built in driver. The image is shown in the laptop monitor, maybe on the extra screen that's cloned (hard to see because it's syncing to long to see).

Please let me know if you need more information.

Tags: precise
affects: ubuntu → gnome-screensaver (Ubuntu)
visibility: private → public
Changed in gnome-screensaver (Ubuntu):
status: New → Confirmed
Changed in gnome-screensaver (Ubuntu):
importance: Undecided → Low
Revision history for this message
Erwin Olario (gowin) wrote :

I'm using XFCE over Ubuntu 9.04 and I am experiencing the same issue.

This bug defeats the purpose of locking our screens to prevent others from viewing what we have on our desktops.

Revision history for this message
Jason Tackaberry (tack) wrote :

This bug can leak sensitive data. I can't fathom why this is considered low importance.

Rather than a flash of my entire desktop, I sometimes see only one or two windows which happen to be on the currently active workspace, while the remaining area is black. It's possible this is a compiz bug, or some problematic interaction between compiz and gnome-screensaver.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please take a look at the following debugging page and add the required information to this bug?

https://wiki.ubuntu.com/DebuggingScreenLocking

Changed in gnome-screensaver (Ubuntu):
status: Confirmed → Incomplete
assignee: nobody → rancor (therancor)
Revision history for this message
Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

Changed in gnome-screensaver (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Rebecca Palmer (rebecca-palmer) wrote :

I have the same bug in Maverick, Intel 965GM graphics on the internal monitor, desktop effects off.

It did not occur in Lucid (there I had bug 623561 instead).

Changed in gnome-screensaver (Ubuntu):
status: Invalid → New
Changed in gnome-screensaver (Ubuntu):
status: New → Confirmed
summary: - Locked screen shows the desktop
+ [SecurityRoadmap] Locked screen shows the desktop
Revision history for this message
Will (tcosprojects) wrote :

I ran into this bug on Ubuntu 11.04 with Compiz/Unity. I am using the open source radeon drivers (radeon 9600).

I came back to my computer and moved the mouse, my screen turned on and briefly displayed everything on my desktop and then went black and shows the lock screen dialog.

Revision history for this message
Dominik Menke (dmke) wrote :

I'm affected, too. I don't believe, this has something to do with drivers (I'm using nvidia-current) but I think, there is a flaw in the lock-mechanism.

Occasionally, my desktop does not just flashes, but reveals the running applications *on top* of the login field (see attached screen shot).

I'm strongly confident, this is just another reason, why you can't use Ubuntu in companies (think of a payslip sheet at the accounting).

Revision history for this message
Laurent (splater) wrote :

Same here with ubuntu 12-04beta1 with nvidia-current driver

Revision history for this message
Ivan Frederiks (idfred) wrote :

Same stuff on Ubuntu 12.04 x86_64, Radeon HD3200 with opensource driver.

tags: added: precise
Changed in gnome-screensaver (Ubuntu):
assignee: Johan Ryberg (jryberg) → nobody
Revision history for this message
Marius B. Kotsbak (mariusko) wrote :

Same with Nvidia closed source driver. Also using Unity interface.

Revision history for this message
Moritz Winter (winter-moritz) wrote :

I'm having this issue since a long time, but yesterday was the first time I could even actually click on the open programs and the period till the locking-screen appeared was very long (~ 10 sec)

Ubuntu 12.04 x86_64, ATI RV730 PRO [Radeon HD 4650]

Revision history for this message
Johan Ryberg (jryberg) wrote :

I think this problem is worse now.

This morning I opened the lid to the laptop and I could see the entire desktop for over 1 minute but the system was not responsive but i could see the mouse and I could bring Unity sidebar to front. I do think I could change focus on witch windows should be in front (little unsure)

Suddenly the locked screen window appeared and after I logged in again the system started to work as usual

johan@ubuntu-devnull:/etc/network$ uname -a
Linux ubuntu-devnull 3.2.0-24-generic #37-Ubuntu SMP Wed Apr 25 08:43:22 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

johan@ubuntu-devnull:/etc/network$ cat /etc/issue.net
Ubuntu 12.04 LTS

Revision history for this message
Pete J (jm4jann) wrote :

Had the issue today. Was working nearby with the screen timed out for more than 5 or 10 mins (black/blank). I assumed it was locked. To wake it, I started typing my password and hit enter only to find that I had sent my password to a co-worker over IM. I was able to chat with him for at least 30 seconds before the screen locked.
I beleive this to be a huge security risk. Please promote this to a high priority.

Revision history for this message
Pete J (jm4jann) wrote :

I should add that this is on an HP8540w notebook.
nVidia driver 295.40 on Quadro FX 880M 1GB
Running Twinview dual screens on docking station (lid closed):
HP LP2475w (DFP-1) + DELL 1908FP (CRT-0)

"Had the issue today. Was working nearby with the screen timed out for more than 5 or 10 mins (black/blank). I assumed it was locked. To wake it, I started typing my password and hit enter only to find that I had sent my password to a co-worker over IM. I was able to chat with him for at least 30 seconds before the screen locked.
I beleive this to be a huge security risk. Please promote this to a high priority."

Revision history for this message
Pete J (jm4jann) wrote :

Ubuntu 12.04 x86_64 on HP8540w notebook.
nVidia driver 295.40 on Quadro FX 880M 1GB
Running Twinview dual screens on docking station (lid closed):
HP LP2475w (DFP-1) + DELL 1908FP (CRT-0)

"Had the issue today. Was working nearby with the screen timed out for more than 5 or 10 mins (black/blank). I assumed it was locked. To wake it, I started typing my password and hit enter only to find that I had sent my password to a co-worker over IM. I was able to chat with him for at least 30 seconds before the screen locked.
I beleive this to be a huge security risk. Please promote this to a high priority."

Sorry for the multiple posts...
https://bugs.launchpad.net/launchpad/+bug/119420

Changed in gnome-screensaver:
importance: Unknown → Critical
status: Unknown → New
Revision history for this message
Johan Ryberg (jryberg) wrote : Re: [Bug 390989] Re: [SecurityRoadmap] Locked screen shows the desktop

It's great news to change it to Critical but it has been this way for
2 years now.

I hope this issue will be fixed now =)

2012/7/25 Bug Watch Updater <email address hidden>:
> ** Changed in: gnome-screensaver
> Status: Unknown => New
>
> ** Changed in: gnome-screensaver
> Importance: Unknown => Critical
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/390989
>
> Title:
> [SecurityRoadmap] Locked screen shows the desktop
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/gnome-screensaver/+bug/390989/+subscriptions

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This issue is related to the fact that the screensaver must grab the keyboard and mouse, but can do so if other applications already have a grab on them.

There is no current solution to this problem with the way X is designed.

See:
https://wiki.ubuntu.com/DebuggingScreenLocking#Screen_is_shown.2C_and_then_screensaver_activates_again

Revision history for this message
Gabriel (misc-evotex) wrote :

On 07/25/2012 07:13 PM, Marc Deslauriers wrote:
> This issue is related to the fact that the screensaver must grab the
> keyboard and mouse, but can do so if other applications already have a
> grab on them.
>
> There is no current solution to this problem with the way X is designed.
>
> See:
> https://wiki.ubuntu.com/DebuggingScreenLocking#Screen_is_shown.2C_and_then_screensaver_activates_again
>

It used to not do that...so unless X was redesigned in between Ubuntu
versions it must be something else.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

It's always done this. Even xscreensaver had this issue.

Revision history for this message
Gabriel (misc-evotex) wrote :

On 07/25/2012 11:13 PM, Marc Deslauriers wrote:
> It's always done this. Even xscreensaver had this issue.
>
ok...so I've only noticed it when upgrading...maybe it was really fast
before so I didn't notice it and now it is slow as hell?

piotr zimoch (ebytyes)
Changed in gnome-screensaver (Ubuntu):
status: Confirmed → New
status: New → Incomplete
status: Incomplete → Invalid
status: Invalid → Confirmed
status: Confirmed → In Progress
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
Changed in gnome-screensaver:
status: New → Expired
Revision history for this message
123vier (flowrist) wrote :

This is still an issue in 15.10.

Revision history for this message
Daniel Holz (daniel-holz91) wrote :

The problem still occurs with 16.04.

Revision history for this message
Suor (suor-web) wrote :

I'am on 16.10 and it is still here.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.