gdm user switcher allows desktop preview w/o passwd

Bug #618517 reported by What, me urgent? on 2010-08-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: gdm

00[ Environment - two user accounts open. Switching between the accounts is being done using the gnome-panel applet identified as "Log Out" (it has a default icon of a white portrait with an orange hand)

01] The switcher displays clearly and in full focus the desktop and open windows of the target (the account TO which the switch was requested)

02] After slightly less than a full second, the screen changes to black, with the correct (if cosmetically quite ugly) authentification screen.

WHAT I EXPECTED TO HAPPEN: not to get a an unauthorized glimpse at the potentially private desktop and open windows of another user, without any authentification. I suppose James Bond might have a sneaky camera hidden in his cell phone to photograph or video the event and squeal to the Brits. Then where would we all be?

But seriously, it is a security compromise, and the duration might variable, or possibly be able to modified to be variable.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: gdm 2.30.2.is.2.30.0-0ubuntu3 [modified: usr/share/gdm/gdm-greeter-login-window.ui]
ProcVersionSignature: Ubuntu 2.6.32-24.39-hostname 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Mon Aug 16 01:26:39 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: gdm

What, me urgent? (whatmeurgent) wrote :
visibility: private → public
Sebastien Bacher (seb128) wrote :

the bug is a duplicate of some others gdm or gnome-screensaver bugs

Changed in gdm (Ubuntu):
importance: Undecided → Low
Changed in gdm (Ubuntu):
status: New → Confirmed
status: Confirmed → Triaged
status: Triaged → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers