[Bug 54741] New windows stealing focus -- and passwords?
jmspeex
jean-marc.valin at usherbrooke.ca
Tue Aug 1 01:15:37 UTC 2006
Public bug reported:
Binary package hint: metacity
I'm resubmitting bug #51242 because I'm now convinced it has potential
to be successfully exploited remotely to steal user passwords. It
basically comes down to the fact that metacity gives by default (which
is impossible to change for me) the focus to a newly open window. This
can have many hazardous consequences (e.g. typing "rm -rf *" in the
wrong window), but also security implications:
Consider Alice logging on to Bob's server with ssh. Malicious user
Mallory is already logged on to the server, detects the login attempt
(e.g. seeing sshd starting with ps) and automatically sends an IM
message to Alice ("Hi Alice, how are you?"). There is a non-zero
probability that Alice will not notice the new IM window instantly and
accidently type his/her password right into Mallory's IM window, giving
away her password.
I think there may also be a way for rogue websites to open unexpected
popups. It could be even more effective in some way because the new
window can be made very small (unnoticeable if not for the change of the
focus) and send the typed text to the attacker directly without the user
needing to press the "enter" key.
** Affects: metacity (Ubuntu)
Importance: Untriaged
Status: Unconfirmed
** Visibility changed to: Public
--
New windows stealing focus -- and passwords?
https://launchpad.net/bugs/54741
More information about the desktop-bugs
mailing list