GNOME Bugzilla – Bug 403936
Security: Application windows can be made visable while screen is locked
Last modified: 2007-02-06 20:19:08 UTC
When you lock your screen in gnome it just draws a black box over all your windows so you have to unlock the screen to see them, but if you use Beryl and have the 3D world plugin enabled ( which many people do ) you can just rotate the desktop cube and all of the windows rise above the black box and are visible without unlocking the screen ( there are other ways to exploit this bug for instance using the program blast you can make holes in the black box and see through to the desktop, but for this to happen the user would have had to run blast before locking the screen so it is not as likely to be a problem ) Here is a screenshot: http://trogdoor.googlepages.com/Screenshot.png
To reproduce this bug with blast run blast then lock the screen, at the locked screen click the mouse and holes will appear in the black box and you will be able to see through them to the applications behind it. I guess the bug is really that applications can still receive input when the screen is locked.
I have confirmed with someone else that this exploit works on other peoples computers also.
What is blast? Is this reproduceable with compiz or metacity? What version of Beryl? What distro is this? Can you please attach a g-s debug log when this occurs as described in: http://live.gnome.org/GnomeScreensaver/FrequentlyAskedQuestions#head-d50bc17e7d6f3a51c4715f02c657195e80e26c2c
Created attachment 81980 [details] Screenshot showing holes in the lock screen made by blast
Created attachment 81981 [details] Debug output when locking the screen and spinning the desktop cube in Beryl to see / interact with windows
I have attached the debug output. Note that I had to kill gnome-screensaver from gnome-terminal as I found out that somehow I was able to get my gnome-terminal window to gain focus and run commands from it ( so you are not only able to see applications while the screen is locked, you can apparently use them also ) but I couldn't get the unlock dialog to gain focus long enough to type my password to unlock the screen. It was very strange as the lock dialog seemed to be gaining and loosing focus ( as I think is shown in the debug log ) this is probably in part due to a bug in Beryl SVN so I have also attached the debug output from using blast running under metacity. Blast is a novelty program that "blasts" holes into xorg windows to vent frustration :) it can also apparently blast holes in the lock dialog as in this screenshot running with metacity ( I was running in debug mode as I took / made this screenshot and have attached this debug output as well ) http://trogdoor.googlepages.com/Screenshot-blast.png Using blast I was able to use the mouse to control applications through the holes but I was not able to get keyboard focus. I keep getting errors when I try to attach the debug output from blast so here is a link to it: http://trogdoor.googlepages.com/gnome-screensaver-debug-Blast.txt
So it seems to be: http://ftp.debian.org/debian/pool/main/b/blast/ And uses the Shape Extension to do its business: http://en.wikipedia.org/wiki/Shape_extension First, I don't consider this a security issue. There is no way to cause this unless you have access to the session before the screen locks. So, the solution is to not run the program that punches holes in your screensaver. That said I've committed a fix to trunk that unshapes the window in response to shape events. 2007-02-06 William Jon McCann <mccann@jhu.edu> * configure.ac: * src/gs-window-x11.c (unshape_window, gs_window_xevent) (window_select_shape_events, gs_window_real_show): Watch for ShapeNotify events and unshape the window. Fixes #403936 So at least you won't really be able to see through. There is still a competition between blast and the screensaver for the grabbing of the pointer while the dialog is up. That beryl stuff seems unrelated and probably a bug in beryl.