Agreed. I personally have typed part of my password into the wrong
application window when it popped up and stole focus. Didn't end up
accidentally sending the password to someone else, fortunately, but in
principle it could have happened.
Personally I like the idea of making this a user-adjustable setting, but
I'd prefer making "strict" be the default.
On Mon, 2006-07-31 at 01:02 +0000, jmspeex wrote:
> Having a key in gconf is nice, but it doesn't change the fact that
> automatically giving focus to a new window (by default!) constitutes not
> only a security issue (typing a passwd in the wrong window), but a
> potential for data loss (typing "rm -rf *" in the wrong terminal). Maybe
> I should file it under "security" so it gets some attention.
>
> The security issue is very real and probably wouldn't be that hard to
> exploit remotely. Consider Alice logging on to Bob's server with ssh.
> Malicious user Mallory is already logged on the server and detects the
> attempt (seeing sshd starting with ps) and automatically sends an IM
> message to Alice ("Hi Alice, how are you?"). There is a non-zero
> probability that Alice will not see the IM window open and accidently
> type his/her password right into Mallory's IM window, giving away her
> password.
>
--
Chris Koresko <[EMAIL PROTECTED]>
Michelson Science Center, Caltech
--
New windows shouldn't steal focus
https://launchpad.net/bugs/51242
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
