Fedora 20 GNOME Bug Could Reveal Your Password
There's a peculiar new bug affecting the soon-to-be-released Fedora 20 that could reveal a user's password when switching between users with the GNOME desktop.
On Fedora 20 right now with the default GNOME desktop if logging in as a user, switching to a different user, and then switch back to the original, and then locking the screen will end up showing the user's password as plain text if trying at that point to log-in as a different user. There also appears to be a few other ways to reproduce the user's password being displayed clearly on the screen and they all revolve around the GNOME lock-screen / user-switching. However, as not everyone does this sort of user-switching and some of the steps to reproduce may be rare, the bug's severity is still being determined.
The Fedora 20 early adopter that discovered this issue and then reported Red Hat Bug #1034031 and then let us know at Phoronix was James Patterson.
There's been many messages bouncing back and forth between James and Red Hat's Adam Williamson today to discuss the issue and its impact. James has been able to find a few different ways to make the log-in/lock screen confused where it displays the user's password. The issue has also been reproduced independently on other systems.
We'll see what happens to the bug in the next day or two and whether it will be deemed a blocker bug that could impact next month's release of Fedora 20.
On Fedora 20 right now with the default GNOME desktop if logging in as a user, switching to a different user, and then switch back to the original, and then locking the screen will end up showing the user's password as plain text if trying at that point to log-in as a different user. There also appears to be a few other ways to reproduce the user's password being displayed clearly on the screen and they all revolve around the GNOME lock-screen / user-switching. However, as not everyone does this sort of user-switching and some of the steps to reproduce may be rare, the bug's severity is still being determined.
The Fedora 20 early adopter that discovered this issue and then reported Red Hat Bug #1034031 and then let us know at Phoronix was James Patterson.
There's been many messages bouncing back and forth between James and Red Hat's Adam Williamson today to discuss the issue and its impact. James has been able to find a few different ways to make the log-in/lock screen confused where it displays the user's password. The issue has also been reproduced independently on other systems.
We'll see what happens to the bug in the next day or two and whether it will be deemed a blocker bug that could impact next month's release of Fedora 20.
30 Comments