Welcome to the MacNN Forums.

rlotz · 07:31 PM

How to reproduce:
Open a blank Terminal or iTerm window.

Lock your screen using either a hot corner, keychain access, or timeout

Wait for the screen saver to activate

Now repeatedly type 'ls[return]' (where return is the return key) until the password box is up and has taken over focus.

Unlock your screen.

Observe that the output of 'ls' is now in your terminal.

Can anyone else reproduce this?? I sure hope 10.3.1 is out soon.

(this is on an 800Mhz G3 iBook (From Nov 2002)

gorickey · Oct 24, 2003, 06:46 PM

Somehow I don't see this being on top of Apple's "bugs to fix in 10.3.1" list...

rlotz · Oct 24, 2003, 06:51 PM

Originally posted by gorickey:
Somehow I don't see this being on top of Apple's "bugs to fix in 10.3.1" list...

The ability to type arbitrary text to an application before authenticating to the computer sure concerns me. Not to mention the irritation when my password gets sent via some iChat because I type too damn fast.

Geobunny · Oct 24, 2003, 07:24 PM

This is definitely something worth worrying about....but I can't reproduce it. Sorry.

Kristoff · Oct 25, 2003, 12:15 PM

A friend of mine noticed this months ago with an ADC build and reported it to apple. It was marked as a duplicate--which means they already knew about it back then.

sambeau · Oct 25, 2003, 06:28 PM

Originally posted by gorickey:
Somehow I don't see this being on top of Apple's "bugs to fix in 10.3.1" list...

If I was Apple this would be close to the top of my list.
Five characters typed into a machine that is supposed to be locked by someone malicious and all your user documents are gone..

Sounds pretty serious to me..

lookmark · Oct 25, 2003, 07:03 PM

I can't reproduce this either.

Exactly how fast do you have to type to do this?

Tritium · Oct 26, 2003, 01:02 AM

I was able to reproduce it, I couldn't type fast enough to get the "return" character in but the letters "ls" definitely ended up in my terminal.

rlotz · Oct 26, 2003, 01:45 AM

Originally posted by lookmark:
I can't reproduce this either.

Exactly how fast do you have to type to do this?

I type fast, typically I can type my password and hit enter before dialbox asking for my password has even appeared. I'm using the "computer name screen saver" on a G3 iBook.

I've tried it on a friends new 15" powerbook and its much harder to get the timing right. I suspect the faster machines are simply able to grab the screen input fast enough to make it less of an issue.

alittle158 · Oct 27, 2003, 12:38 AM

I am able to reproduce this issue on my iBook/900, but I haven't installed Panther on my other machines, so I can't confirm it on those. This definitely is a major security issue, though...I do type my password fast, and I have accidently typed it when the screen saver activated while working on a paper in word. You could accidently type it in a chat or an e-mail message w/o knowing about it.

ZackS · Oct 27, 2003, 12:50 AM

After try 3 or so on a test account I was able to fire off an rm -rf and clear everything I could. Definitely needs fixing but it would take quite the hacker to know you had the terminal up front and to type perfectly.

ZackS · 01:00 AM

Uh oh! It also accepts keyboard commands. Try holding command and continually hitting N and it will keeps spawning new windows. Hitting commad-Q then command-D could also spell trouble for any open documents.

Edit: SNAP!! I just managed to open the terminal on a locked system from the screen saver and enter an arbitrary command (top in this case)

All I did was hit command shift A, cancel, type util..., cancel, term..., cancel, command-o, cancel, arbitrary command.