https://bugs.kde.org/show_bug.cgi?id=369181
Bug ID: 369181
Summary: User session security vulnerability from screen lock
being suppressed with power management
Product: Powerdevil
Version: 5.6.4
Platform: Debian testing
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: general
Assignee: plasma-devel@kde.org
Reporter: bosk...@riseup.net
The problem is that applications (in my experience it has only been browsers,
both firefox and chromium) request that power management be suppressed, which
overrides an automatic screen lock timeout configured through power management.
On its own this behaviour makes sense, but it can result in a silent failure of
the timed automatic screen locking, which is a significant vulnerability for
users who are depending on the auto screen lock for the security of their
session.
This problem is exacerbated by poorly designed websites that get the browser to
request power management suppression for reasons that are not obvious to the
user (a background webRTC PeerConnection in chromium is the recent example I
saw).
I would expect that there would be an externally visible notification of when
this suppression of power management occurs, so that a user who is depending on
screen locking will be aware that it has been disabled. Alternatively, there
could also be a way of configuring power management to override the suppression
requests for users who value screen locking (and other power management
features) over the convenience of the automatic suppression.
It is possible to click on the "Battery and Brightness" tab of the system tray
to see a message about suppression of power management, but there is no
externally visible notification when the suppression occurs. It is too tedious
to periodically click into this area to check if there is a suppression.
It is also possible to configure a button or keyboard shortcut for quick screen
locking and do this manually just in case the automatic screen lock is being
suppressed. This is the workaround I am currently using, but it is basically
just a replacement for a timed screen lock that can't be trusted to work as
configured.
Reproducible: Always
Steps to Reproduce:
1. Use power management to configure a short timeout on the screen lock
2. Open a poorly designed website in chromium or firefox that makes background
requests to suppress power management (some pages from http://www.laprensa.hn/
in chromium containing background webrtc peerconnections, for example).
3. Get up and leave the computer with that tab open. See how long it takes for
someone to realize you left your session open and start digging around in your
stuff :p
Actual Results:
The screen lock will not work because the power management is suppressed.
Expected Results:
Popped up a notification (or have the option to enable such a notification) as
soon as the power management is suppressed so that the offending website tab
could be closed, or the screen could be manually locked.
--
You are receiving this mail because:
You are the assignee for the bug.
