HUGE Security Flaw with Sleep Password
I was using Leopard on my MBP, a pretty fresh installation (less than a month old).
I had a couple of iChat windows open. Something called me away for a few minutes, and my screen saver kicked on, which I have set to "Require password to wake this computer".
I came back, moved the mouse, and it popped up the Password window as usual. I typed in my password and hit Enter then screen faded back to black. Weird, I thought. I moved the mouse again, it asked me for my password again. I typed it in and my desktop appeared as normal.
Except for the fact that in my last open iChat window, I just sent my password to the last person I was chatting with!
Basically, it's like the key input for my "Require Password" box didn't parse to to the box, it instead parsed to the iChat window that was "behind" everything. My guess is that the "focus" didn't shift to the Password box when I moved the mouse, instead it stayed stuck at the iChat window which was my previous focus point.
When the password prompt is up, Leopard shouldn't allow me to input anything "behind" the Password box. Des this mean I could have also command-tabbed to bring up my email and bypass the password prompt? Or heaven forbid I had a Terminal session running as my last focus point.
I had a couple of iChat windows open. Something called me away for a few minutes, and my screen saver kicked on, which I have set to "Require password to wake this computer".
I came back, moved the mouse, and it popped up the Password window as usual. I typed in my password and hit Enter then screen faded back to black. Weird, I thought. I moved the mouse again, it asked me for my password again. I typed it in and my desktop appeared as normal.
Except for the fact that in my last open iChat window, I just sent my password to the last person I was chatting with!
Basically, it's like the key input for my "Require Password" box didn't parse to to the box, it instead parsed to the iChat window that was "behind" everything. My guess is that the "focus" didn't shift to the Password box when I moved the mouse, instead it stayed stuck at the iChat window which was my previous focus point.
When the password prompt is up, Leopard shouldn't allow me to input anything "behind" the Password box. Des this mean I could have also command-tabbed to bring up my email and bypass the password prompt? Or heaven forbid I had a Terminal session running as my last focus point.
Macbook Pro, Mac OS X (10.4.11)
