8443 – Potential for compromising client passwords through Thinlinc

Bug 8443 - Potential for compromising client passwords through Thinlinc

Summary: Potential for compromising client passwords through Thinlinc

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Client (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	---
Assignee:	Bugzilla mail exporter

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-08 12:54 CET by anders.fridberger
Modified:	2024-12-03 10:22 CET (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description anders.fridberger 2024-11-08 12:54:17 CET

This problem occurs on Mac OS X with full-screen sessions. The problem leads to client passwords becoming visible in cleartext inside Thinlinc. Steps to reproduce:

1. Open a full-screen session on Max OS X. In my case the full-screen sessions runs on a second monitor.

2. Open a text editor window in Thinlinc.

3. Do nothing until the Mac screen saver kicks in

4. When user comes back and tries to enter password into Mac OS to gain access to the client system, the password does not work, so the session does not unlock.

5. Upon logging in to the client by using fingerprints instead, I find that the  client password is displayed in cleartext inside the text editor window opened in step 2.

Comment 1 Frida Flodin cendio

2024-12-03 10:22:12 CET

I tested this on Mac M1 (macOS 15.1.1), with ThinLinc client and server 4.17.0, and did not manage to reproduce the issue. I think we need some more info to set the priority of this bug. Maybe it's only on laptops? Or older OS.

Note You need to log in before you can comment on or make changes to this bug.