*** This bug is a security vulnerability ***
Public security bug reported:
People depend heavily on the lock screen (rightfully or wrongfully) to
prevent others from seeing sensitive data. gnome-screensaver can easily
expose this sensitive data.
Example:
During day:
1. Network boot Ubuntu into GUI
2. Open sensitive document
3. CTRL-ALT-F[1-6] and use a TTY
4. Logout of TTY and attend meeting
5. Go home an hour later
At this point a user has a reasonable expectation of his or her
sensitive document being secure believing a password (or physical access
to server) will be needed to see the sensitive information.
At night:
6. Record screen with mobile
7. CTRL-ALT-F7 (the document will briefly be displayed before the lock screen)
8. CTRL-ALT-F[1-6] back to the original TTY to hide your tracks
9. Go frame by frame through the video to retrieve the sensitive information
I wouldn't call this an enhancement because I spoke to several users and
ALL of them had the expectation their data would not be visible. People
were especially sensitive to the reading of private chat sessions.
Users didn't expect just anyone could go from cubical to cubical at
night secretly exposing screens. Whenever a user has a screen lock the
locking application needs to ensure contents of the screen won't be
visible after the lockout time. If it is really so hard to clear the
contents of the screen then turn off output of the video card when the
user hits CTRL-ALT-F7 until the sensitive data is gone.
cat /etc/issue
Ubuntu 12.04.2 LTS \n \l
Package: gnome-screensaver
Priority: optional
Section: gnome
Installed-Size: 412
Maintainer: Ubuntu Desktop Team <ubuntu-desk...@lists.ubuntu.com>
Original-Maintainer: Guilherme de S. Pastore <gpast...@debian.org>
Architecture: amd64
Version: 3.4.1-0ubuntu1
Priority: optional
Section: universe/gnome
Installed-Size: 51
Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
Original-Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Architecture: amd64
Source: meta-gnome3
Version: 1:3.0+6ubuntu3
** Affects: gnome-screensaver (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1193850
Title:
gnome-screensaver exposes sensitive data
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/1193850/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
