External drive password prompts allow the focus to be changed creating security issue

Bug #1633602 reported by Greg Williams
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity (Ubuntu)
New
Undecided
Unassigned

Bug Description

Issue: plugging in an external drive encrypted with dm-crypt/luks pops up a password prompt but the window's focus is not locked to the password prompt (as it should be for proper security when entering a password).

In the current implementation, if the window's focus changes (by accident) or is changed purposely (via malware), the user could be entering his/her password into a focus-point that is not the password prompt. For proper implementation on how to do this see Gnome-Shell's implementation. In Gnome-Shell, the screen darkens putting all the focus onto the password prompt. The window's focus on the password prompt will not be released until the user clicks Cancel or enters a password.

Please implement this properly in Unity so that Ubuntu users are better protected when entering their passwords for external drives.

To recreate the problem, encrypt an external HDD with dmcrypt/luks. Plug the drive into Unity via USB and notice the password prompt that appears. Notice how the user is free to change what window has focus despite the fact that a password prompt window has been generated? With the password prompt showing on the left side of the screen, I can type content into another window (e.g., gedit) that appears on the right side of the screen. This should not be possible. And results in poor security for the user.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.