password echo in plaintext at login screen

Forum rules
Before you post please read this

password echo in plaintext at login screen

Postby Van.Vreeborg on Sat Apr 28, 2012 6:32 am

Dear All,

Linux Mint 12 (lisa) LXDE. Fresh install, all ok. Boot up, login screen shows.

Now there is a strange behavior of the password box, reproduce as follows:

1) at the login name box, put one single space character (no login name), then press enter.
2) Now, in the password box, any text you type is given an echo in plaintext, instead of the usual black dots.
3) After pressing enter again, *a second* password box appears, but now text is given an echo in the usual black dots.
4) Even if a correct username (plus at least one space char) was used in step 1, AND the password was correct, I am not logged in, but asked for my username again.

I found that ANY username that contains a space character will trigger this password plaintext echo bug. Moreover, even when i just accidentally put a space character behind my correct username, the password that I type (shown in plaintext) does not log me into the system. Instead, I am just asked for my username again.

This is potentially dangerous, if I am loggin in while someone else is looking along. I accidentally press space bar while typing my login name (the ol' jittery thumb), and then in a reflex, type my password, which is now shown in plaintext to anyone looking over my shoulder.

Can anyone else please check if they can reproduce this simple, but serious little bug?

I am a (kind of) programmer, and since this is open source, I would *love* to try to fix this myself. No, really! :)
But I have no idea where to start, or even where to get the source code of this login screen.

Many thanks for any kind of help,

Cheers,
Van Vreeborg
Van.Vreeborg
Level 1
Level 1
 
Posts: 3
Joined: Sat Apr 28, 2012 4:01 am

Linux Mint is funded by ads and donations.
 

Re: password echo in plaintext at login screen

Postby xenopeek on Sun Apr 29, 2012 5:59 am

Confirmed for LXDE. Couldn't reproduce on Main Edition or KDE. LXDE uses GDM as login manager, the other editions either use LightDM or KDM. Valid usernames can't contain spaces, so the bug is only triggered on invalid usernames.

This seems to be a bug in GDM. Perhaps report it to the GNOME project, see http://projects.gnome.org/gdm/developers.html for some relevant links.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14994
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands


Return to Others

Who is online

Users browsing this forum: No registered users and 3 guests