Bug 695104 – copy & paste password

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 695104 - copy & paste password


Summary:	copy & paste password


Status:	RESOLVED FIXED

Product:	gnome-shell
Classification:	Core
Component:	login-screen
Version:	3.7.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Ray Strode [halfline]
QA Contact:	gnome-shell-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-03-04 06:42 UTC by Marcus Moeller
Modified:	2013-03-04 15:44 UTC

See Also:
GNOME target:	3.8
GNOME version:	---

Attachments
st-entry: Disable cut/copy actions in password entries (1.39 KB, patch) 2013-03-04 15:38 UTC, Florian Müllner	committed	Details \| Review
shellEntry: Disable copy action for password entries (1.12 KB, patch) 2013-03-04 15:38 UTC, Florian Müllner	committed	Details \| Review

Description Marcus Moeller 2013-03-04 06:42:13 UTC

If you enter the password in the password box and leave your screen, before pressing 'Login', an attacker could mark the dots, press Ctrl+C / Cancel and Ctrl+V in the username box.

This will display the password in plaintext.

Comment 1 drago01 2013-03-04 10:43:59 UTC

(In reply to comment #0)
> If you enter the password in the password box and leave your screen, before
> pressing 'Login', an attacker could mark the dots, press Ctrl+C / Cancel and
> Ctrl+V in the username box.
> 
> This will display the password in plaintext.

If you leave your car keys in the pub and walk away an attacker could grab the key and go steal your car.

Comment 2 Marcus Moeller 2013-03-04 10:50:01 UTC

In our situation this is a reasonable problem. Due to LDAP login, the login process might take some time (up to 15sec). When a student tries to login to a public pc and is a bit impationt, he or she might walk away during the login process. In the meantime someone else could step up and copy and paste the password.

Comment 3 drago01 2013-03-04 10:54:33 UTC

(In reply to comment #2)
> In our situation this is a reasonable problem. Due to LDAP login, the login
> process might take some time (up to 15sec). When a student tries to login to a
> public pc and is a bit impationt, he or she might walk away during the login
> process. In the meantime someone else could step up and copy and paste the
> password.

OK, that makes sense ... your first comment triggered a "huh? why would one do that".

I guess we could simply disable copy and paste on the login screen, there is no source to copy from anyway.

Comment 4 Matthias Clasen 2013-03-04 12:53:31 UTC

fwiw, gtk forbids copying from a password entry. st should do the same

Comment 5 Florian Müllner 2013-03-04 15:38:29 UTC

Created attachment 237998 [details] [review]
st-entry: Disable cut/copy actions in password entries

Curently it is possible to copy the content of password entries,
and paste it elsewhere in clear text. This is undesirable, so
follow GTK+'s behavior and disable the cut/copy actions for
password entries.

Comment 6 Florian Müllner 2013-03-04 15:38:35 UTC

Created attachment 237999 [details] [review]
shellEntry: Disable copy action for password entries

Curently it is possible to copy the content of password entries,
and paste it elsewhere in clear text. This is undesirable, so
follow GTK+'s behavior and disable the copy action for password
entries.

Comment 7 Rui Matos 2013-03-04 15:42:26 UTC

Review of attachment 237998 [details] [review]:

looks good

Comment 8 Rui Matos 2013-03-04 15:42:45 UTC

Review of attachment 237999 [details] [review]:

Ok

Comment 9 Florian Müllner 2013-03-04 15:44:17 UTC

Attachment 237998 [details] pushed as b52f4ed - st-entry: Disable cut/copy actions in password entries
Attachment 237999 [details] pushed as 9e31f05 - shellEntry: Disable copy action for password entries