Ubuntu

How to protect user from stealing his password from polkit/gksudo/kdesudo password prompts?

Asked by Andrei Dziahel

Hello everyone.
So here's screenshot demonstrating password stealing attack itself — http://i.imgur.com/WCvhn.png
Just checked it on ubuntu oneiric — mentioned exploit works in polkit's password prompts.
Any suggestions?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
mycae (mycae) said : 		#1

Try that with two different users.

Revision history for this message
Andrei Dziahel (develop7) said : 		#2

@mycae, 4ex. windows user is protected from this attack with UAC, because
a) he is asked for permission, not his password
b) permission request dialog is shown in separate desktop session (this prevents message spoofing)

I'm aware of users isolation. I just think entering password in compromised environment is at least unsafe.

Revision history for this message
mycae (mycae) said : 		#3

Feel free to raise it as a bug, but I think if you are running unsafe code, you are running unsafe code and your box is considered owned anyway.

I personally am of the opinion that once you execute some code that is not safe in an un-sandboxed environment, you are pretty stuffed.

I would recommend (but remember, I don't work for canonical in any way) that you would also need to make some concrete suggestions as to how this could be altered without undertaking a massive project to do so.

Can you help with this problem?

Provide an answer of your own, or ask Andrei Dziahel for more information if necessary.

To post a message you must log in.