Ubuntu
unity package

Unity lockscreen lets applications capture keyboard input

Bug #1348668 reported by Eddie Dunn
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Unity
New
Undecided
Unassigned
unity (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I noticed that with the Vimium extension activated in Google Chrome, I cannot unlock Unity's lockscreen because keyboard input is hijacked by Vimium. The lockscreen really should not let this happen, and it can even be considered a potential security vulnerability as it might allow applications to capture a user's password.

I have noticed this before as well when using another application, though I can't remember which one it was at the moment.

The workaround is to use the mouse to choose the Switch user-option, but this is really not obvious to anyone who might encounter this bug.

Revision history for this message
Eddie Dunn (eddie-dunn) wrote :

I have discovered that Dell has published a package here[1] which contains a deb package `workaround-screen-lock-malfunction_1_all.deb` that seemingly fixes this issue. Whether this is still a valid bug for the Unity lockscreen is difficult for me to say, but I will leave it as is, until someone more knowledgeable takes a look at it.

I was running a vanilla verison of 14.04 on the Dell XPS9333, with no special Dell packages installed when experiencing the lockscreen issue.

[1]: http://www.dell.com/support/drivers/us/en/04/DriverDetails/Product/xps-13-9333?driverId=4NTWR

Seth Arnold (seth-arnold)
information type: Private Security → Public
Revision history for this message
Ryan Klarhölter (ryanklarhoelter) wrote :

That affects different Google Chrome inputs. Address bar, Google search bar, Google Keep inputs and so on. It's not limited to a special extension. (I use a Zenbook Prime UX31A with Ubuntu 14.04 running.) Maybe other programs are affected too, but I don't think so. Can't reproduce it with Gedit for example.

Revision history for this message
Eddie Dunn (eddie-dunn) wrote :

Good to know. From the back of my mind, I can confirm that running Firefox, vim, Terminator, or Gedit in the foreground does not affect the lock screen. In other words the bug lies with the interaction between Unity Lockscreen and Google Chrome.

Also, related to my previous comment, forget what I wrote there. I think `workaround-screen-lock-malfunction_1_all.deb` is meant to fix something else, and so is totally unrelated to this bug. I have had the issue after installing it.

Revision history for this message
Diego Berrocal (cestdiego) wrote :

I can confirm this too, the first time it happened I freaked out, my workaround is to change input methods in the icon in the top panel. But this should be like this, I agree that no lockscreen should behave like this. This only happens with Google Chrome. As I have the vimium extension too I find to my surprise that I was opening a web page with half of my password on it. I mean, c'mon that's not secure.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.