https://bugs.kde.org/show_bug.cgi?id=412252
Bug ID: 412252
Summary: password may be indefinitely visible to attacker
(security relevant)
Product: kscreenlocker
Version: 5.10.3
Platform: Other
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: kolafl...@kolahilft.de
CC: bhus...@gmail.com
Target Milestone: ---
In one sentence: When entering a wrong password, it will stay on screen
indefinitely
after the failed login attempt.
Same happens if not pressing enter after typing the correct password.
This problem is nearly completely similar to a problem for SDDM described here:
https://github.com/sddm/sddm/issues/1199
= Scenario =
-- password isn't deleted --
The user leaves it's PC after a failed login attempt.
(e.g. because he just realized it's lunchtime and another login attempt
would be useless, or because the fire alarm strikes)
A local attacker now has the chance, to look at the screen.
He will not just see the length of the password (number of asterisks).
But he will also see the typed text by clicking the eye-icon beside the
password field.
Assuming the user just did a minor typo (e.g. missed to press shift for
the correct letter), I consider this a security problem.
Example:
User typed: MyDogiscalledjohn
Real password which can be easily guessed: MyDogiscalledJohn
-- undo/repo issue --
Even if the user knows about this problem and deletes the password
(backspace or del key), the attacker can simply press ctrl-z to restore
the password.
The only chance for the user to securely wipe the password from the
screen, is to either correctly login and lock the screen again, or to
press ctrl-z to drop the undo-stack and enter a dummy text to also drop
the redo-stack.
-- comparison with unlocked screen --
You could try to compare this scenario with an unlocked screen. This is
also a problematic situation, but there are two aspects which make this
less critical:
- An attacker can't see the users password.
- The screen will lock after the configured time.
And the login/lock screen doesn't even delete the password after some
time (compared to the screenlock timeout).
I guess for the login screen there's not even an applyable timeout
setting, because the lock setting is per user and not system wide.
= Mitigations =
Deleting the password immediately probably isn't very handy for the
user. Having the possibility to see a misstyped password to correct it,
by clicking the eye-icon after a failed attempt, is probably very useful.
But I suggest the following mitigations:
- Disabling undo/redo in password fields.
- Deleting passwords from password fields after $time.
(independently if the user pressed enter or just left the PC after
typing something)
$time may be:
- A hard coded value. E.g. 60 seconds.
- For the lockscreen it might also be the configured time to lock after
inactivity. But I don't like this choice, because users may set a too
long time for this (e.g. 5 minutes), so their screen doesn't lock too fast.
- An new setting, which could be system wide (for the login screen) and
per user (for the lockscreen).
-- further thoughts --
Those mitigations might be a good default for all password widgets in
KDE/QT.
Password fields in all scenarios should probably not offer the
possibility to read their contents for an infinite time.
--
You are receiving this mail because:
You are watching all bug changes.
