Desktop contents displayed on resume, before lock screen is shown

Bug #1280300 reported by Steve Magoun on 2014-02-14
510
This bug affects 78 people
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
Medium
Unassigned

Bug Description

I am running 14.04. When I resume from sleep, the contents of my desktop (including any open windows, emails, etc) are displayed onscreen briefly before the unlock screen is shown. This potentially allows an attacker to view the contents of a locked screen.

To reproduce:
1) Suspend a machine, e.g. by closing the lid
2) Resume the machine

Expected results:
Upon resume, the first thing shown onscreen is the screensaver unlock screen.

Actual results:
Upon resume, the first thing shown onscreen is the set of open windows that were displayed before the machine was put to sleep. After a second or two, the unlock screen is drawn and you have to enter a password to unlock the machine.

This is reproducible on my system.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gnome-screensaver 3.6.1-0ubuntu9
ProcVersionSignature: Ubuntu 3.13.0-8.28-generic 3.13.2
Uname: Linux 3.13.0-8-generic x86_64
ApportVersion: 2.13.2-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Feb 14 09:05:50 2014
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-precise-amd64-20130203-1
EcryptfsInUse: Yes
GnomeSessionIdleInhibited: No
GnomeSessionInhibitors: None
GsettingsGnomeSession:
 org.gnome.desktop.session session-name 'ubuntu'
 org.gnome.desktop.session idle-delay uint32 300
InstallationDate: Installed on 2013-12-02 (73 days ago)
InstallationMedia: Ubuntu 12.04 "Precise" - Build amd64 LIVE Binary 20130203-13:50
SourcePackage: gnome-screensaver
UpgradeStatus: Upgraded to trusty on 2014-02-12 (1 days ago)

Steve Magoun (smagoun) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-screensaver (Ubuntu):
status: New → Confirmed

It has a moderate impact on a core package.

information type: Public → Public Security
Changed in gnome-screensaver (Ubuntu):
importance: Undecided → Medium
Steve Magoun (smagoun) on 2014-03-26
tags: added: rls-t-incoming
tags: added: lockscreen
tags: added: resume suspend
Pander (pander) on 2015-11-17
tags: added: 15.10
cuc (cuc+) wrote :

happens with gnome 3.16 on ubuntu 15.10
do you need any more information? is this being worked on?

GrandVizier (grandvizier) wrote :

I did not experience it on my machine prior to 15.10, but after upgrading to 15.10 it happens consistently every time when resuming from suspend.

Still seeing this bug in Ubuntu 15.10 64-bit with Unity 3D, and have seen it in every Ubuntu version going back to at least 2011, across several different laptops from different manufacturers (Chromebook, Thinkpad, and Dell something-or-other). It happens reliably every time I resume from suspend - doesn't matter if I suspended through the menu or by closing the lid.

How is this not considered a major security bug? If someone steals my laptop they can see anything I was doing before suspending. Information leakage like this should be treated as high priority.

Gatonegro (gatonegro) wrote :

Still seeing this bug (Ubuntu-Gnome 15.10, with Gnome 3) too.
I too think this is a security issue. They don't even need to steal my laptop -- just flip it open and power it on briefly, and be ready with a smartphone to take a picture at the screen contents.

Daniel (daniel-nuest) wrote :

I also have this issue (Ubuntu 15.10, Lenovo T450s), every time.

Lnerd (logangarbarini) wrote :

I have this issue with both Unity and Gnome 3. Running Ubuntu 15.10 on an Asus Zenbook UX305.

I've also been able to type briefly before it autolocks (see 830348).

thunder.glove (njknjnjhkn) wrote :

Yes me too, Ubuntu 15.10 Unity, Toshiba Chromebook 2. I've the below as I thought it was an issue with the screensaver after reading other sites. No luck:

gsettings set org.gnome.desktop.screensaver ubuntu-lock-on-suspend 'true'
sudo sed -i "s/NoDisplay=true/NoDisplay=false/g" /etc/xdg/autostart/*.desktop

Gabor (gabor-z) wrote :

Same here, ubuntu 15.10 unity. hp probook gd450

piratemurray (mez-pahlan) wrote :

Dell Inspiron 15
Ubuntu 15.10
3.6.1-7ubuntu1

Happy to troubleshoot if needed.

Kerry (java-avionicengineers) wrote :

I have the same defect on HP Envy, Ubuntu 15.10

Vincenzo Di Somma (vds) wrote :

Same issue on Dell XPS 13 2015 (9343) Ubuntu 15.10.

Having this on a Dell Prestige 3510, with Ubuntu 15.10 and XFCE

Martin Pool (mbp) wrote :

This security bug has been open for 4.5 years now.

Seth Arnold (seth-arnold) wrote :

mbp, this looks like a 'garbage pit' style bug report; the original complaint from two years ago is filed against gnome-screensaver but the automatically included text reports unity was being used. Comments since then include complaints about xfce and gnome 3 environments too.

There's no actionable information in any of this report, and furthermore there's been half-dozen fixes to most of the screenlockers mentioned in this report along the way because for some reason the screenlockers seem to re-introduce the same bugs every cycle.

If you're seeing an issue, please just file a new bug. This one has grown useless because it's not specific enough to anything to actually fix.

Thanks

Changed in gnome-screensaver (Ubuntu):
status: Confirmed → Invalid
Vadim Andryuschenko (gvaduha) wrote :

seth-arnold, imho, this problem systematically reported in different versions of Ubuntu with different desktop environments and seems like ignored by developers. The security threat is severe and the root of the problem lies much deeper than patching a concrete combination of components. Confess I don't know and not going to investigate the problem (despite that as sw developer I do want to hear about it causes), but could you as a member of security team explain us why don't you refactor or redesign this? And we as system users would be pleased if some techguy investigate the problem and open a new "correct" bug instead of switching bug to invalid state practically sinking it to the "garbage pit".

There is no offence in my comment, but for many reasons lots of people can't use OSes with such security holes and this is very disappointing.

Marc Deslauriers (mdeslaur) wrote :

There is no way to fix this as long as X11 is still being used. Lock screen timing issues are usually caused by a few different things:

1- Hardware issues. Certain models of computers have known issues where they don't generate the proper events when the laptop lid is closed or the suspend hotkey is pressed. In those cases, the laptop will enter the suspend state before notifying the OS, which results in the screen not being locked when the laptop wakes up. These issues need to be addressed with a firmware update, or with a quirk being added to whatever platform specific driver is in the kernel. This is the type of thing that is tested and fixed when a laptop gets certified and preloaded with Ubuntu.

2- Actual bugs in the screen locking code. This has happened in the past, and still occurs occasionally.

3- X11 not allowing the screen lock to forcibly remove keyboard and mouse grabs. This is the major reason why screen locking will never work reliably as long as we haven't switched to Wayland or Mir. For the screen to lock, it must be able to exclusively grab the keyboard or mouse. Unfortunately, there is no way under X11 to forcibly remove a keyboard or mouse grab that belongs to another application. When this happens, for example when you have a menu open, or you're using software such as Virtalbox, the screen is unable to lock before the laptop goes into suspend mode.

Vadim Andryuschenko (gvaduha) wrote :

Mark, thanks for such detailed explanation and extremely fast response! It's grave news for me to hear that X11 is the major problem here. Would it be better if your publish it in Ubuntu FAQ (or elsewhere) and close all these bugs with "won't fix" to make community realize the point?

Marc Deslauriers (mdeslaur) wrote :

That's an excellent suggestion, I'll look into doing that. Thanks!

This bug started happening on my laptop after installing 16.04. With 12.04 there never was any problem and I never had this problem with an older laptop, from 8.04 to 15.10.

I'm running XDG_CURRENT_DESKTOP=GNOME-Flashback:Unity

Given the suggestion at #17 I'll open a new bug for that DE. Everybody should open a new bug for the DE you use.

Mike Jones (7-ubuntuone-kenl) wrote :

Below is a workaround I use.

*********
#!/bin/sh
viewnior --fullscreen '/home/user_name/Images/My solid color image which obscures my desktop.png' && sleep 2 && dbus-send --system --print-reply --dest=org.freedesktop.login1 /org/freedesktop/login1 "org.freedesktop.login1.Manager.Suspend" boolean:true && i3lock -i '/home/user_name/Images/My image I like to look at when my computer wakes up.png' -p default -n
*********

I lock my screen with a keyboard shortcut I created in Xubuntu which I associated with the above script.

After my computer wakes up I need to exit Viewnior (the image viewer I am using) so that the the file called, "My solid color image which obscures my desktop.png" disappears.

I suppose the extra step would not be necessary if someone with some technical knowledge would explain how to cause i3lock to exit the image viewer after the computer wakes up.

I use "viewnior --fullscreen" instead of "viewnior -f" because the later didn't seem to work in a terminal. I suppose this was a result of my using a French language terminal.

Also, if you need to resize your image because you want it to appear centered on the screen, there's no need to install GIMP or any other draw or paint application.

I used Google Drawings to resize "My solid color image which obscures my desktop.png" to match my screen size which is 1366 x 768 pixels. I went to File–>Page configuration–>Customize and typed 1366 then 768 and chose pixels.

Then I downloaded "My solid color image which obscures my desktop.png" to my local drive.

I suppose if the developer(s) of this app were to a detailed explanation of the abovein a message, say the first five times a new image were used in i3lock, it would help new users quickly and easily lock their screen securely and ensure their images were centered on the screen.

Mike Jones (7-ubuntuone-kenl) wrote :

The workaround below fixes a bug in the above workaround:

*********
#!/bin/sh
viewnior --fullscreen '/home/user_name/Images/My solid color image which obscures my desktop.png' &
sleep 2 &&
dbus-send --system --print-reply --dest=org.freedesktop.login1 /org/freedesktop/login1 "org.freedesktop.login1.Manager.Suspend" boolean:true && i3lock -i '/home/user_name/Images/My image I like to look at when my computer wakes up.png' -p default -n
*********

gethin (gethinlw) wrote :

Another workaround that I used for Cinnamon. I can't imagine it would be too much trouble to adapt it to other window managers:

1. Use dconf-editor to change the button-suspend action at org>cinnamon>settings-daemon>plugins>power to 'nothing' (you could also amend lid-close-ac-action and lid-close-battery-action as well if you're using a laptop).

2. Save the following script to a convenient location (it locks the screen, then suspends):

#!/bin/bash
cinnamon-screensaver-command -l
systemctl suspend

3. Use the System Settings app (cinnamon-settings) to create a custom keybinding for the sleep key that points to the script.

After this it behaves as it should. You can see the lock screen pop up briefly before it goes to sleep, which is reassuring.

Seth Arnold (seth-arnold) wrote :

gethin, that seems plausibly like it could suffer from the same problems as #49579 -- if you have a menu open or a virtualbox window to a guest or similar, the screensaver 'lock' command may not be able to lock the display.

That's why we recommend using the lock interface in the menus or keyboard shortcuts, because both will either succeed easily or visibly fail before you make the next step manually.

Thanks

joncamfield (jon-camfield) wrote :

Same issue on a Lenovo t440s, Ubuntu 17.10 (Gnome shell).

Getting this as well on 16.04, but only recently. Started happening about 4 months ago. Mine is worse because I can open it up and start working on it. Sometimes I'll be on it for like 10 mins before it finally shuts me out and makes me login.

Paul (s-pael-m) wrote :

I have same issue on Kubuntu 18.04 Is the NSA forcing someone to leave this in on purpose?

jezdonline (jezdonline) wrote :

I got the same security issue with Cairo Dock and Ubuntu 14.04 in Acer Aspire E 14 ES1-411-28SF every time laptop wake up

I tried to put a command on sleep event but this occurs on wake up

Tengo el mismo problema de seguridad con Cairo Dock y Ubuntu 14.04 en Acer Aspire E 14 ES1-411-28SF cada vez que despierta el note

intenté poner un comando en el evento de suspender pero recien carga al volver de la suspensión

Michal (michal-novotny2) wrote :

I experience the same bug I am running a freshly installed Ubuntu 18.04 with unity.

gregreen (gregreen) wrote :

I also experience this buggy behavior on a fresh install of Ubuntu 18.04, using the default Gnome Shell desktop. This bug has been around for at least 7 years (see https://bugs.launchpad.net/ubuntu/+source/unity-2d/+bug/830348). How is it still unaddressed?

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers