*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
I have a Ubuntu 20.04 installed on a laptop with a fingerprint reader. I was curious about it today, and was happy to see that fingerprintd was already installed. I'm fairly certain I didn't install this myself, so I suspect it's installed by default if you have a laptop with a fingerprint reader. I soon discovered that I could easily add (enroll seems to be what fprintd calls it) a fingerprint login to my account. Swiping my finger on the fingerprint scanner 5 times added a new fingerprint login. Logging out, I could easily login via swiping my fingerprint. Easy- peasy, and "just works". After a minute of thinking of this though, I was EXTREMELY surprised to learn that I wasn't required to enter my password to add a fingerprint. The system just added an entirely new way for me to authenticate, without first verifying my identity. This means anyone with access to the computer for a few minutes could easily add their own fingerprints to the laptop,and login with no password. It seems apparent to me that any time an access method is added (like changing a password), the interface should confirm that the user is who they say they are. This is why you have to type in your old password before changing to a new one. The fact that Ubuntu doesn't do this is a major security concern. Of course, I've since un-installed fprintd, as it was just a curiosity, not something I wanted to trust. ** Affects: fprintd Importance: Unknown Status: Unknown ** Affects: fprintd (Ubuntu) Importance: Undecided Status: New -- fprintd fingerprint login compromises password security. https://bugs.launchpad.net/bugs/1901132 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs