Related Entries

Amazon.com security request fraud
Blaster laster
Ironic, is it not?
Another buffer overrun vulnerability
What's New in Windows 2003!

« WC2003 is over
» Getting undo history

Security hole or stupidity?

Today, Windows 98 tricked me into a security problem.

At work, I maintain all my tasks (past, current and future) in an Excel spread sheet. Periodically, some python scripts read this Excel file and update a web calendar file (ICS), my Outlook 2000 calendar, Free/Busy server and my screen saver. My screen saver lists all my planned tasks for the day, from 30 minutes before the current time.

Since I’ve access to quite a bit of servers, I usually keep a screen saver password. When I’ve production data mounted on my PC, I keep the screen saver timeout to 2 minutes.

Instant Messenger easily grabbed my screen saver password :-) Here’s how it happened.

  1. I got a phone call. I attended it.
  2. After 2 minutes, screen saver came on.
  3. I was about to finish the call. I typed in the screen saver password without looking at the screen.
  4. As luck would have it, at the same time, I got an IM message. This had popped up the IM dialog window. When I typed in the password, though the "enter password dialog" was on, the focus must have been on the IM dialog. To make it short, my password was sent over IM to the guy on the other side.

Is the Windows screen saver password window any special kind of modal dialog window?

Anyway, I changed the password and that was it. I still think it was not entirely my fault - a little bit blame must be put on the screen saver password dialog too :-)

Posted: March 24, 2003 06:43 PM
security

  1. That's the problem with most of the graphical user interfaces these days. It's all this "I want your attention now!" focus change pestering that causes exactly these kinds of problems.

    It is alarming that the screensaver isn't modal, though.

    Posted by: Paul Boddie on March 25, 2003 05:42 AM

  2. That's why they call it a screensaver, not a security-blanket-for-your-screen-thingy :)

    I don't think such things can pass thru xscreensaver though, although I might be wrong.

    You did not use the same password for the screensaver and the rest of your servers right?

    Posted by: wari on March 25, 2003 11:17 PM

  3. Nope, I didn't use this password anywhere else. I use the screensaver, if I have to go away for unplanned and urgent issues.

    xscreensaver is fine. I tested it with Gabber.

    And oh no, I did not use the password anywhere else :-)

    Posted by: Babu on March 26, 2003 05:27 AM

  4. Alas, I've had this happen more than a few times. Fortunately my screen-saver password is --- well, it's relatively easy if you've known me for a long long time, but no co-worker would figure it out. I've always wondered why the screen saver allows anything else to grab the focus? This seems stupid.

    However, this is not a problem on Windows NT or above (i.e. I use 2000 at work, and this doesn't happen because the screen truly locks), or on MacOS X. Basically it's just a DOS issue.

    Posted by: petrilli on March 26, 2003 08:33 AM
//-->