security issue? auto suggest seems to copy credentials into clipboard
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-keyboard (Ubuntu) |
New
|
Critical
|
Unassigned | ||
Bug Description
on todays image (krillin rtm-proposed r21) with ONLY auto suggest language option on I get:
13:57 < asac> 1. kill terminal
13:57 < asac> 2. open terminal and enter pin
13:57 < asac> 3. click in terminal pastes my pin :)
obviously not good for security. Think might be bad.
Seems its not getting to dictionary at least:
13:58 < asac> 4. /me uses backspace to delete
13:58 < asac> 5. type ls
13:58 < asac> 6. type first digit of pin -> does not suggest my pin
This doesn't happen if I turn auto suggestion off. Not sure if the paste is what doesn't happen or the clipboarding doesn't happen. Surely important to check out and know for sure.
We should check other credential prompts too: pin lock screen, sim pin etc.
Haven't tried, but I assume UITK password fields and browser dont have that, but might be worth checking.
Thanks!
| description: | updated |
| Changed in ubuntu-keyboard (Ubuntu): | |
| importance: | Undecided → Critical |
| tags: | added: rtm14 |
| summary: |
- auto suggest seems to copy credentials into clipboard + security issue? auto suggest seems to copy credentials into clipboard |
| information type: | Public → Public Security |
| Jamie Strandboge (jdstrand) wrote | #1 |
| tags: | added: touch-2014-09-11 |
It does seem that the keyboard shouldn't be putting whatever you type into the clipboard.
That said, I wonder if this is also a bug in the terminal app? Maybe it isn't using these:
Qt.ImhHiddenText - Characters should be hidden, as is typically used when entering passwords. This is automatically set when setting echoMode to TextInput.Password.
Qt.ImhSensitiveData - Typed text should not be stored by the active input method in any persistent storage like predictive user dictionary.
Note, AIUI, the filemanager app uses the same embedded password checking backend as the terminal so it may be affected too.
Reference:
http://