https://bugs.kde.org/show_bug.cgi?id=433485
--- Comment #2 from Dan Dascalescu <ddascalescu+...@gmail.com> --- Created attachment 136099 --> https://bugs.kde.org/attachment.cgi?id=136099&action=edit xinput test still kogs keystrokes from PolicyKit1 KDE Agent I'm not very familiar with this security aspect, or much with Wayland, so please pardon my inexact terminology. Joanna's demo works just fine on KDE neon 5.21, as seen in the attached screencast. I guess Wayland isn't enabled yet, perhaps due to the showstoppers?[1] > Also, could you please clarify what you mean by "a la gksudo"? > gksudo is deprecated and not shipped at all by most distros at all anymore, > so I cannot tell whether it manages to protect itself against this on X11. Back in 2011, gksudo was reported to be resistant to this kleylogging attack at https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html?showComment=1303668459694#c644649620501650773 > Please note as well that in you should not enter your password into anything > if you > suspect untrusted processes are running as your user. There are numerous > other attacks, > like "debugging" the agent or simply impersonating the password prompt. Right. My threat model is that I may not know whether untrusted code is running in a dependency confusion type of attack[2], and it could log keystrokes, including those I type into a legitimate prompt. [1]: https://community.kde.org/Plasma/Wayland_Showstoppers [2]: https://blog.malwarebytes.com/hacking-2/2021/02/researchers-audacious-hack-demonstrates-new-type-of-supply-chain-attack/ -- You are receiving this mail because: You are watching all bug changes.
