Public bug reported: When switching between two user sessions with Gnome Screensaver, the keystrokes of your password are sent to the Gnome Screensaver Lock Screen and are also echoed into the focused application of the underlying user session.
This bug only happens when switching between users using the steps below. It does not happen for single-user unlocking, and it does not happen when unlocking the same user twice. If the focused application in the underlying session is an IRC client like XChat your password keystrokes are echoed into it too, and the password ends up sent to the current IRC channel. This all happens while unlocking, before the lock screen is painted over by the session windows. (I didn't believe this bug was possible until it affected me twice in one week. This bug burned two of my login passwords in a row by sending them to IRC. Very annoying.) Here are the steps to reproduce this. I accidentally followed this sequence both times: 1. User A and User B are both logged in. User B is running XChat. 2. Switch to User A's session. 3. Suspend the laptop. 4. Resume the laptop. User A lock screen is shown. 5. Press 'Switch User'. LightDM is shown. 6. Select User B in LightDM. 7. Type User B's password, press Enter. 8. User B is unlocked, the session screen is re-painted. The password is visible in the IRC client backscroll, already sent to the channel. Other observations: * The system is under load while switching users. It is using swap space to handle both simultaneous user logins. Switching between users takes a few seconds: you can hear the HDD swapping and see loadavg climb while it does so. * I am not 100% positive that the suspend/resume step is necessary to reproduce this. It could be coincidence. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: gnome-screensaver 3.4.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.2.0-37.58-generic 3.2.35 Uname: Linux 3.2.0-37-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 Date: Mon Feb 25 20:33:59 2013 GnomeSessionIdleInhibited: No GnomeSessionInhibitors: None GsettingsGnomeSession: org.gnome.desktop.session idle-delay uint32 600 org.gnome.desktop.session session-name 'ubuntu' InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta amd64 (20110915.1) MarkForUpload: True ProcEnviron: LANGUAGE=en_CA:en TERM=screen PATH=(custom, no user) LANG=en_CA.UTF-8 SHELL=/bin/bash SourcePackage: gnome-screensaver UpgradeStatus: Upgraded to precise on 2012-04-04 (327 days ago) WindowManager: No value set for `/desktop/gnome/session/required_components/windowmanager' ** Affects: gnome-screensaver (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug precise running-unity -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1133091 Title: Screensaver password keystrokes are echoed into underlying apps To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/1133091/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs