BQ (r24): terminal-app shows terminal data when asking for password

Bug #1488481 reported by Matthias Apitz on 2015-08-25
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Ubuntu Terminal App
Critical
Evan McIntire

Bug Description

I have a terminal-app click package based on the original sources, but
which integrates the start of an application, the MUA 'mutt'. The same
problem described here is true for the original terminal-app, only less
visible because not in colors:

when the terminal is asking for the password, it makes already visible
data in the terminal window, best visible in landscape mode, see attachment.

Related branches

Matthias Apitz (gubu) wrote :
information type: Private Security → Public

I've seen this too, although only showing the default shell prompt, not a full app, it's still valid bug.

I would like to see us only launch the process in the terminal after the pin has correctly been entered.

Changed in ubuntu-terminal-app:
status: New → Confirmed
importance: Undecided → High
Matthias Apitz (gubu) on 2015-08-25
description: updated
Matthew Exon (ubuntubugs-mexon) wrote :

This isn't just a display issue. With a bluetooth keyboard attached you can also type commands, for example editing .ssh/authorized_keys. No doubt there are other ways a keyboard could be introduced into the equation, e.g. the USB socket. So that's bad.

Changed in ubuntu-terminal-app:
status: Confirmed → In Progress
assignee: nobody → Evan McIntire (mcintire-evan)
David Planella (dpm) on 2016-02-02
Changed in ubuntu-terminal-app:
importance: High → Critical
Seth Arnold (seth-arnold) wrote :

Excellent find re: the bluetooth keyboard. :) Very nice work.

I'm less worried about the process actually starting; the reasoning behind the prompt in the first place is that you ought to be able to hand your phone to a stranger and they ought not be able to completely own the phone just by fiddling with it for a bit. I don't think this password in the terminal was ever intended to provide any privacy mechanisms.

But interacting with the prompt via a bluetooth keyboard ought to be addressed; it's surprising and not at all obvious that it could happen.

Thanks

Fix committed into lp:ubuntu-terminal-app at revision None, scheduled for release in ubuntu-terminal-app, milestone 2014-12-11

Changed in ubuntu-terminal-app:
status: In Progress → Fix Committed
Changed in ubuntu-terminal-app:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers