switchboard and firefox available from lock screen
Bug #1502918 reported by
Sam Thomas
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Wingpanel |
Fix Released
|
Critical
|
Djax | ||
Wingpanel Bluetooth Indicator |
Fix Released
|
Critical
|
Mike Seese | ||
Wingpanel Network Indicator |
Fix Released
|
Critical
|
Unassigned | ||
Wingpanel Power Indicator |
Fix Released
|
Critical
|
Felipe Escoto |
Bug Description
It is possible to open both switchboard and firefox from the lock screen using the new indicators. In order to do this, open the network indicator, and click "Network Settings...". This will open a switchboard panel to the network settings. Go back and then go to the "About" plug. Then click on the "Website" link. This opened firefox for me. I don't know why it chose firefox because I have other browsers installed and firefox is not set to the default browser. It is impossible to type in this window so it would be hard to do much, but I am going to mark this as a security vulnerability.
Related branches
lp:~philip.scott/wingpanel-indicator-power/hide-settings-in-greeter
- WingPanel Devs: Pending requested
-
Diff: 74 lines (+13/-12)2 files modifiedsrc/Indicator.vala (+1/-1)
src/Widgets/PopoverWidget.vala (+12/-11)
lp:~seesemichaelj/wingpanel-indicator-bluetooth/bluetooth-switchboard-access-from-lock
- Adam Bieńkowski (community): Approve (code)
-
Diff: 138 lines (+28/-11)4 files modifiedsrc/Indicator.vala (+8/-4)
src/Widgets/PopoverWidget.vala (+3/-3)
src/Widgets/Views/DiscoveryView.vala (+11/-0)
src/Widgets/Views/MainView.vala (+6/-4)
information type: | Public → Public Security |
Changed in pantheon-greeter: | |
milestone: | none → loki-beta1 |
Changed in pantheon-greeter: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in wingpanel-indicator-network: | |
status: | Confirmed → Fix Committed |
Changed in wingpanel-indicator-network: | |
milestone: | loki-beta1 → loki-alpha1 |
Changed in wingpanel-indicator-power: | |
assignee: | nobody → Felipe Escoto (philip.scott) |
milestone: | loki-beta1 → loki-alpha1 |
status: | Confirmed → Fix Committed |
affects: | pantheon-greeter → wingpanel |
Changed in wingpanel: | |
milestone: | loki-beta1 → none |
assignee: | nobody → Djax (parnold-x) |
milestone: | none → loki-alpha1 |
status: | Confirmed → Fix Committed |
Changed in wingpanel-indicator-bluetooth: | |
importance: | Undecided → Critical |
milestone: | none → loki-beta1 |
status: | New → Confirmed |
no longer affects: | elementaryos |
Changed in wingpanel-indicator-bluetooth: | |
assignee: | nobody → Mike Seese (seesemichaelj) |
Changed in wingpanel-indicator-bluetooth: | |
status: | Confirmed → In Progress |
Changed in wingpanel-indicator-bluetooth: | |
status: | In Progress → Fix Committed |
Changed in wingpanel-indicator-bluetooth: | |
milestone: | loki-beta1 → loki-alpha1 |
Changed in wingpanel: | |
status: | Fix Committed → Fix Released |
Changed in wingpanel-indicator-bluetooth: | |
milestone: | loki-alpha1 → 2.0 |
status: | Fix Committed → Fix Released |
Changed in wingpanel-indicator-network: | |
status: | Fix Committed → Fix Released |
Changed in wingpanel-indicator-power: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I played around with the bug a little more and it's more serious than I thought. By opening a private window, I was able to type. By typing 'file://' I was able to get access to the entire file system and was able to launch applications from here. I was able to launch scratch and libreoffice. It only gives you the option to open files with the default application and it doesn't look like the Lightdm user has permissions to open files containing password information such as /etc/shadow.