Public bug reported: It is easily possible for any runnig program in you X session to sneak your passwords(even root, sudo etc) or to obtain critical creditentials from browser (eg e-banking).
This bug is based on : Blog post with explanation: http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html Ubuntu answers: https://answers.launchpad.net/ubuntu/+source/xorg/+question/159596 The bug has already been reported to X developers: https://bugs.freedesktop.org/show_bug.cgi?id=38517 (with steps to reporoduce) the bug has been known for some time already, but nothing has been happening! With this, Linux desktop is no more secure than any Windows system. Please have a look at the resources and try it yourselves. Cheers, mark At present, the architecture of XWindow/XServer possess a software vulnerability whereby allowing a hacker to execute code to trace user keystrokes without the need of root access. Proof of concept: - Open terminal - Type 'xinput test 8' - Press keystrokes in any GUI window and watch the terminal It is possible to write C++ binary executable for linux and simply use the procedure above to capture keystrokes. The key mappings are same for every qwerty keyboard. A dynamic cast from (int *) to (char *) can translate DECIMAL to its corresponding keystroke in ASCII format. Solution: The solution is to write a conditional branch in XWindow/XServer GUI handler classes/object files to prevent the keyboard interrupt service routine from servicing any other application or window besides the focused window. This can be accomplished easily into the current design of XWindow/XServer by using a composite design pattern. ** Affects: xorg (Ubuntu) Importance: Undecided Status: New ** Affects: xorg (Suse) Importance: Undecided Status: New ** Also affects: xorg (Suse) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/800172 Title: Application keylogger vulunerability in Xserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/800172/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
