*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
I have a Ubuntu 20.04 installed on a laptop with a fingerprint reader.
I was curious about it today, and was happy to see that fingerprintd was
already installed. I'm fairly certain I didn't install this myself, so
I suspect it's installed by default if you have a laptop with a
fingerprint reader.
I soon discovered that I could easily add (enroll seems to be what
fprintd calls it) a fingerprint login to my account. Swiping my finger
on the fingerprint scanner 5 times added a new fingerprint login.
Logging out, I could easily login via swiping my fingerprint. Easy-
peasy, and "just works".
After a minute of thinking of this though, I was EXTREMELY surprised to
learn that I wasn't required to enter my password to add a fingerprint.
The system just added an entirely new way for me to authenticate,
without first verifying my identity.
This means anyone with access to the computer for a few minutes could
easily add their own fingerprints to the laptop,and login with no
password.
It seems apparent to me that any time an access method is added (like
changing a password), the interface should confirm that the user is who
they say they are. This is why you have to type in your old password
before changing to a new one. The fact that Ubuntu doesn't do this is a
major security concern.
Of course, I've since un-installed fprintd, as it was just a curiosity,
not something I wanted to trust.
** Affects: fprintd
Importance: Unknown
Status: Unknown
** Affects: fprintd (Ubuntu)
Importance: Undecided
Status: New
--
fprintd fingerprint login compromises password security.
https://bugs.launchpad.net/bugs/1901132
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
