Unauthenticated user can modify the background in a widget-lock-screen
Gilboa Davara
gilboad at gmail.com
Sun Mar 17 09:54:56 UTC 2013
On Sun, Mar 17, 2013 at 11:17 AM, Gilboa Davara <gilboad at gmail.com> wrote:
> On Sun, Mar 17, 2013 at 12:21 AM, Kevin Kofler <kevin.kofler at chello.at> wrote:
>> Gilboa Davara wrote:
>>> While testing 4.10/f17 I decided to try out the new lock screen.
>>> The widget lock screen is indeed nice, but there's a major security issue:
>>> An unauthenticated user can access the lock-screen setting and change the
>>> background. (cashew->settings).
>>
>> Changing the background is a "major security issue"?!
>
> *Of-course* it is!
> Cashew -> settings -> add -> file dialog opens.... and you have
> complete (!) access to the machine's file system.
>
>>
>> I wonder whether adding ihatethecashew to the widget lock screen would work.
>> (I guess not, it needs to declare that it is safe for the lock screen to be
>> authorized.)
>
> Interesting idea.
>
>>
>> Kevin Kofler
>
> In-short, sounds like an upstream bug.
> I'll report it and post a link.
FYI
https://bugs.kde.org/show_bug.cgi?id=316893
>
> - Gilboa
More information about the kde
mailing list