Fake login screens

Vincenzo Ciancia ciancia at di.unipi.it
Sat Feb 14 20:20:37 UTC 2009

On 14/02/2009 Peteris Krisjanis wrote:
> You have evidence that such scenario could happen or even is happened?
> Or you just speculate? Anything can be faked in this world, specially
> on computers.

CTRL+ALT+BACKSPACE can't be faked, I believe. Whatever else you can 
fake, you have to do it under an existing user account. By leaving a 
fake gdm login under _my own_ account, which logs out immediately, and 
returns to the proper gdm, I can steal other users passwords without 
having to tamper with an open session of one of them.

However I give up: it seems to me that nobody is going to admit this is 
changing something important in the security of multi-user systems, even 
though this seems very obvious to me, so please excuse me for the 
intromission, and do whatever you want with that.


More information about the Ubuntu-devel-discuss mailing list