search

linuxmint / cinnamon

A Linux desktop featuring a traditional layout, built from modern technology and introducing brand new innovative features.
GNU General Public License v2.0
4.53k stars 737 forks source link

Cinnamon shows content behind locked screen when plugging 2nd screen #11899

Open P-D-G opened 1 year ago

P-D-G commented 1 year ago

Distribution

LMDE6. Fresh install, not updated from LMDE5.

Package version

5.8.4

Graphics hardware in use

Thinkpad T495, AMD Ryzen 5 Pro 3500U

Frequency

Always

Bug description

When I lock my laptop and then plug a second screen (tested with HDMI and DP over USB-C), one of the two screen displays its content as if the session was unlocked. All windows/apps that are set on that screen appear in clear view. With HDMI, the external monitor leaked info, while with DP over USB, the laptop screen leaked info. I do not ave enough hardware to run more tests. When the laptop screen displays its unlocked content, the password field box does not appear, though typing the password and pressing "enter" properly unlock the session.

This means that potentially confidential info could be displayed despite the computer being locked.

Steps to reproduce

  1. Start with laptop plugged to external monitor (HDMI and DP over USB tested)
  2. Unplug laptop from external monitor.
  3. Lock the session. This has been tested both by shutting the lid and pressing ctrl+alt+L.
  4. Re-plug the laptop to external monitor.
  5. After re-configuring the displays, one of the two displays content is in clear view before the session being unlocked.

Expected behavior

The locked screen should not leak information. Reconfiguration of the graphic layout should not erase lock screen.

Additional information

antunnitraj commented 8 months ago

I have the sample problem, reproducible.

rszimm commented 7 months ago

Not only can you view the unlocked desktop, you can actually interact with it (type commands, etc.) Now you only get a second or so before the lock screen resumes, but if you're quick enough, you can do some damage.

This seems like a pretty substantial security hole. I can walk up to a locked desktop and, without knowing the password, see what's on their desktop and potentially interact with the locked computer. I'm pretty shocked this has been unassigned for over 6 months.

BlessedDisco commented 6 months ago

I also experience this problem. I mostly encounter it in the following scenario:

  1. my laptop is already hooked up to an external screen
  2. I lock the laptop
  3. After a while, the screens turn off because the laptop is inactive
  4. When I get back to the laptop and want to login, all screens temporarily show the unlocked desktop and I can interact with them (this mostly happens accidentally by typing in my password in the application that is currently opened)

Like @rszimm said: this is a pretty substantial security hole. Specifically because it is possible to interact with programs without unlocking the computer.

By the way, I am using Linux Mint 21.3 Cinnamon

carlosmintfan commented 3 months ago

Same as I experienced https://github.com/linuxmint/mint22-beta/issues/188

rafaelspereira1 commented 1 month ago

I also have the same problem

BlessedDisco commented 1 week ago

I have updated to mint 22 - still have this issue.

The issue is really a problem. Today I accidentally send my password via a chat to somebody else, because all of the keystrokes were going to the chat application before the password box was activated.