Easy keylogging of user password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
policykit-1 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
OS: Ubuntu 11.10 amd64 with gnome-classic session.
I've found that most of user authentication programs that used in Ubuntu is pkexec. The problem is that this program do not lock the keyboard (while gksu does).
For example, the program xneur (analog of puntoswitcher) can log keystrokes. And when I turn on this option, I found my password used to authenticate applications in this log (this password can be used to get access to root).
Steps to reproduce
1) XNeur used as keylogger, but version in Ubuntu repository don't work correctly.
I used xneur from repository of it's authors
ppa:andrew-
Start xneur with command: "gxneur"
2) Enable keylogging:
2.1) Click with second mouse button at xneur icon in system tray to get popup menu and click Preferences
2.2) Go to tab called "log" and check "Enable keyboard logging", then press "OK"
2.3) Logfile is accessible in "$HOME/
3) Launch application that use pkexec:
3.1) "synaptic-pkexec" write Your password, then hit "Enter"
3.2) "gnome-
4) Ckeck out log file "$HOME/
Could you please give the steps necessary to reproduce this? Thanks.