Ubuntu
gnome-shell package

Lock/login screen displays password in clear text occasionally

Bug #1772791 reported by Roshan George
298
This bug affects 7 people
Affects Status Importance Assigned to Milestone
GNOME Shell
Fix Released
Unknown
gnome-shell (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Hello, folks,

Today when I returned to my computer (which I locked with Super+L) and attempted to unlock it, it displayed my passphrase in cleartext in the 'Password' box. I noticed as soon as I got the first character in, then typed in the second character and it stayed clear. I then picked up my phone to record the attached video and while I was fiddling with it to get a good camera shot, the screen locked (for inactivity perhaps?) and when I unlocked this time, the password only displayed as dots (as expected).

So unfortunately, I don't know how to replicate. It _did_ occur though, as the attached video will show if you go slowly (look for "hu", the first characters of legendary password "hunter2").

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: xorg 1:7.7+19ubuntu7
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
NonfreeKernelModules: livepatch_livepatch_Ubuntu_4_15_0_20_21_generic_
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
CompositorRunning: None
CurrentDesktop: ubuntu:GNOME
Date: Tue May 22 20:27:51 2018
DistUpgraded: Fresh install
DistroCodename: bionic
DistroVariant: ubuntu
ExtraDebuggingInterest: Yes, if not too technical
GraphicsCard:
 Subsystem: Dell HD Graphics 630 [1028:07a1]
 Advanced Micro Devices, Inc. [AMD/ATI] Oland [Radeon HD 8570 / R7 240/340 OEM] [1002:6611] (rev 87) (prog-if 00 [VGA controller])
   Subsystem: Dell Oland [Radeon HD 8570 / R7 240/340 OEM] [1028:1002]
InstallationDate: Installed on 2018-05-02 (21 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
Lsusb:
 Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
 Bus 001 Device 003: ID 04d9:a0d5 Holtek Semiconductor, Inc.
 Bus 001 Device 002: ID 046d:c338 Logitech, Inc.
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
MachineType: Dell Inc. OptiPlex 7050
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-20-generic root=UUID=9d600b65-ce52-4147-aace-2de5ac8c3c34 ro quiet splash
SourcePackage: xorg
Symptom: display
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/30/2018
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.7.9
dmi.board.name: 0NW6H5
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvr1.7.9:bd01/30/2018:svnDellInc.:pnOptiPlex7050:pvr:rvnDellInc.:rn0NW6H5:rvrA00:cvnDellInc.:ct3:cvr:
dmi.product.family: OptiPlex
dmi.product.name: OptiPlex 7050
dmi.sys.vendor: Dell Inc.
version.compiz: compiz N/A
version.libdrm2: libdrm2 2.4.91-2
version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.0~rc5-1ubuntu1
version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.0~rc5-1ubuntu1
version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2

See original description
Revision history for this message
Roshan George (roshan-george) wrote :
Roshan George (roshan-george)
affects: xorg (Ubuntu) → gdm3 (Ubuntu)
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: Lock Screen displayed password in clear text on one occasion

The GUI that handles the text input is part of gnome-shell. So also assigning this bug to gnome-shell. In fact it's more likely gnome-shell than gdm3.

information type: Public → Public Security
tags: added: unlock
summary: - Lock Screen displayed password on one occasion
+ Lock Screen displayed password in clear text on one occasion
Revision history for this message
Greg Price (gregprice) wrote :

I just ran into the same behavior. I typed my password quickly and automatically into the lock/login screen... and was disturbed to see the whole thing right there in plaintext as I was hitting enter.

I poked at it a bit, and here's a reproducer:
* Go to the lock/login screen.
* Right-click on the password input field. You get a little popup menu.
* One of the options is "Show Text". If you choose that option, the password input now shows in plain text.

I'm pretty sure I wasn't anywhere near the mouse when I originally saw this behavior, so I suppose there's some keyboard sequence that invokes the same option. I must have mashed that as I was getting the screen to wake up.

I see why this feature could sometimes be useful when encountering an unfamiliar keyboard layout, etc. But triggering it by accident is pretty startling; so I'd love to set an option to make it impossible to trigger. I can't find such an issue in the GNOME configuration, but I'm not at all confident the places I was able to find to look in are comprehensive.

There's an issue upstream (in gnome-shell) where someone asked for such an option:
https://bugzilla.redhat.com/show_bug.cgi?id=1506370

Also an older bug report where others ran into this behavior by accident (the reproducer someone found there was helpful to my finding a reproducer, though that exact sequence doesn't do it for me on gnome-shell 3.28):
https://bugzilla.redhat.com/show_bug.cgi?id=1178806

There's even a RH Knowledge Base article for the question of how to disable it!
https://access.redhat.com/solutions/3224961
That's marked "Solution Verified", which sure sounds like there is a way... but without a Red Hat subscription, I can't see what it says. The open gnome-shell issue sure makes it sound like there isn't one.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdm3 (Ubuntu):
status: New → Confirmed
Changed in gnome-shell (Ubuntu):
status: New → Confirmed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Upstream:
https://gitlab.gnome.org/GNOME/gdm/issues/305

description: updated
Changed in mutter (Ubuntu):
status: New → Confirmed
Changed in gdm3 (Ubuntu):
importance: Undecided → High
Changed in gnome-shell (Ubuntu):
importance: Undecided → High
Changed in mutter (Ubuntu):
importance: Undecided → High
Daniel van Vugt (vanvugt)
summary: - Lock Screen displayed password in clear text on one occasion
+ Lock/login screen displays password in clear text occasionally
Revision history for this message
Alex Murray (alexmurray) wrote :

https://gitlab.gnome.org/GNOME/gnome-shell/issues/460#note_331931 seems to offer a pretty compelling explanation of why this might be seen inadvertently.

Daniel van Vugt (vanvugt)
no longer affects: gdm3 (Ubuntu)
description: updated
no longer affects: mutter (Ubuntu)
Changed in gnome-shell (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in gnome-shell:
status: Unknown → New
Revision history for this message
breo (xbcovelo) wrote :

#7 It seems it was moved to https://gitlab.gnome.org/GNOME/gnome-shell/issues/460

Daniel van Vugt (vanvugt)
tags: added: groovy
Daniel van Vugt (vanvugt)
tags: removed: groovy
Revision history for this message
Tom Melshinker (tommel24) wrote :

Is there any update about it?

Revision history for this message
Chris Burgess (chris-giantrobot) wrote :

This happens when the feature to show password text is inadvertently activated, as can happen when keyboard mashing to wake device. Details in link by Alex in comment 7.

Bug Watch Updater (bug-watch-updater)
Changed in gnome-shell:
status: New → Fix Released
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Per the upstream bug: "Never seen this issue since v41.2"

If you continue to experience problems then please open a new bug by running:

  ubuntu-bug gnome-shell

Changed in gnome-shell (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.