Unity lockscreen lets applications capture keyboard input

Bug #1348668 reported by Eddie Dunn on 2014-07-25
This bug affects 2 people
Affects Status Importance Assigned to Milestone
unity (Ubuntu)

Bug Description

I noticed that with the Vimium extension activated in Google Chrome, I cannot unlock Unity's lockscreen because keyboard input is hijacked by Vimium. The lockscreen really should not let this happen, and it can even be considered a potential security vulnerability as it might allow applications to capture a user's password.

I have noticed this before as well when using another application, though I can't remember which one it was at the moment.

The workaround is to use the mouse to choose the Switch user-option, but this is really not obvious to anyone who might encounter this bug.

Eddie Dunn (eddie-dunn) wrote :

I have discovered that Dell has published a package here[1] which contains a deb package `workaround-screen-lock-malfunction_1_all.deb` that seemingly fixes this issue. Whether this is still a valid bug for the Unity lockscreen is difficult for me to say, but I will leave it as is, until someone more knowledgeable takes a look at it.

I was running a vanilla verison of 14.04 on the Dell XPS9333, with no special Dell packages installed when experiencing the lockscreen issue.

[1]: http://www.dell.com/support/drivers/us/en/04/DriverDetails/Product/xps-13-9333?driverId=4NTWR

information type: Private Security → Public

That affects different Google Chrome inputs. Address bar, Google search bar, Google Keep inputs and so on. It's not limited to a special extension. (I use a Zenbook Prime UX31A with Ubuntu 14.04 running.) Maybe other programs are affected too, but I don't think so. Can't reproduce it with Gedit for example.

Eddie Dunn (eddie-dunn) wrote :

Good to know. From the back of my mind, I can confirm that running Firefox, vim, Terminator, or Gedit in the foreground does not affect the lock screen. In other words the bug lies with the interaction between Unity Lockscreen and Google Chrome.

Also, related to my previous comment, forget what I wrote there. I think `workaround-screen-lock-malfunction_1_all.deb` is meant to fix something else, and so is totally unrelated to this bug. I have had the issue after installing it.

Diego Berrocal (cestdiego) wrote :

I can confirm this too, the first time it happened I freaked out, my workaround is to change input methods in the icon in the top panel. But this should be like this, I agree that no lockscreen should behave like this. This only happens with Google Chrome. As I have the vimium extension too I find to my surprise that I was opening a web page with half of my password on it. I mean, c'mon that's not secure.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers