Unauthenticated user can modify the background in a widget-lock-screen
Gilboa Davara
gilboad at gmail.com
Sun Mar 17 09:17:31 UTC 2013
On Sun, Mar 17, 2013 at 12:21 AM, Kevin Kofler <kevin.kofler at chello.at> wrote:
> Gilboa Davara wrote:
>> While testing 4.10/f17 I decided to try out the new lock screen.
>> The widget lock screen is indeed nice, but there's a major security issue:
>> An unauthenticated user can access the lock-screen setting and change the
>> background. (cashew->settings).
>
> Changing the background is a "major security issue"?!
*Of-course* it is!
Cashew -> settings -> add -> file dialog opens.... and you have
complete (!) access to the machine's file system.
>
> I wonder whether adding ihatethecashew to the widget lock screen would work.
> (I guess not, it needs to declare that it is safe for the lock screen to be
> authorized.)
Interesting idea.
>
> Kevin Kofler
In-short, sounds like an upstream bug.
I'll report it and post a link.
- Gilboa
More information about the kde
mailing list