I can hack and access the lock screen without any given password through the shortcut keys of Alt+Shift.

Bug #1610085 reported by Jarurote Tippayachai on 2016-08-05
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu
High
Unassigned

Bug Description

With frequently pressing the shortcut keys of Alt+Shift, we can hack and access through the lock screen without any given password.

See also
https://www.youtube.com/watch?v=s968NpIpdiQ

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: xorg 1:7.7+13ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
.tmp.unity_support_test.0:

ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: compiz
CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0'
CompositorUnredirectFSW: true
Date: Fri Aug 5 13:11:19 2016
DistUpgraded: 2016-07-29 16:02:34,562 ERROR got error from PostInstallScript ./xorg_fix_proprietary.py (Failed to execute child process "./xorg_fix_proprietary.py" (No such file or directory))
DistroCodename: xenial
DistroVariant: ubuntu
GraphicsCard:
 Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:0152] (rev 09) (prog-if 00 [VGA controller])
   Subsystem: Hewlett-Packard Company Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [103c:18dd]
InstallationDate: Installed on 2015-11-12 (266 days ago)
InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
MachineType: Hewlett-Packard HP Compaq Pro 4300 AiO 20 PC
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-31-generic root=UUID=0dd8d4f8-3576-45ac-af4a-b79a43b4b17b ro quiet splash vt.handoff=7
SourcePackage: xorg
Symptom: display
UpgradeStatus: Upgraded to xenial on 2016-07-29 (6 days ago)
dmi.bios.date: 01/30/2013
dmi.bios.vendor: AMI
dmi.bios.version: 8.08
dmi.board.asset.tag: 3CR3200N71
dmi.board.name: 18DD
dmi.board.vendor: PEGATRON CORPORATION
dmi.board.version: 1.02
dmi.chassis.asset.tag: 3CR3200N71
dmi.chassis.type: 3
dmi.chassis.vendor: Hewlett-Packard
dmi.modalias: dmi:bvnAMI:bvr8.08:bd01/30/2013:svnHewlett-Packard:pnHPCompaqPro4300AiO20PC:pvr1.00:rvnPEGATRONCORPORATION:rn18DD:rvr1.02:cvnHewlett-Packard:ct3:cvr:
dmi.product.name: HP Compaq Pro 4300 AiO 20 PC
dmi.product.version: 1.00
dmi.sys.vendor: Hewlett-Packard
version.compiz: compiz 1:0.9.12.2+16.04.20160714-0ubuntu1
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.67-1ubuntu0.16.04.1
version.libgl1-mesa-dri: libgl1-mesa-dri 11.2.0-1ubuntu2.1
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 11.2.0-1ubuntu2.1
version.xserver-xorg-core: xserver-xorg-core 2:1.18.3-1ubuntu2.3
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.1-1ubuntu2
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:7.7.0-1
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20160325-1ubuntu1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.12-1build2
xserver.bootTime: Fri Aug 5 09:34:43 2016
xserver.configfile: default
xserver.errors:

xserver.logfile: /var/log/Xorg.0.log
xserver.outputs:
 product id 16930
 vendor HWP
xserver.version: 2:1.18.3-1ubuntu2.3

Jarurote Tippayachai (jarurote) wrote :
Jarurote Tippayachai (jarurote) wrote :

I can hack and access the lock screen without any given password with Alt+Shift shortcut keys as shown in this links:

https://www.youtube.com/watch?v=s968NpIpdiQ

Paul White (paulw2u) wrote :

Obviously not an xorg problem.

Assigning to Ubuntu pending reassignment to the correct package.

affects: xorg (Ubuntu) → ubuntu
Jarurote Tippayachai (jarurote) wrote :

I have forgot to say that I cannot switch the language between Thai and English with Alt+Shift shortcut keys on the lock screen after upgrading my Ubuntu OS from 14.04 LTS to 16.04 LTS, but it is also appeared the crash screen as shown in YouTube.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
information type: Public → Public Security
Changed in ubuntu:
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers