Posted on January 17, 2021 at 4:18 PM
Vulnerability in Linux Mint Screensaver Lock Discovered By Two Kids
Vulnerability on devices and software is no longer limited to sophisticated hackers and a threat actor, as recent even has proven. Even kids can discover flaws from a device if they are allowed to do so.
Two kids were given the freedom to hack into their father’s Linux desktop, but they did more than that. Their activities on the desktop led to the discovery of a critical vulnerability after crashing the system’s screensaver with sheer luck.
The Linux Mint team was alerted about the high priority security vulnerability the kids discovered while playing with their dad’s computer.
The vulnerability could have given a threat actor the ability to bypass the OS screensaver as well as its password to gain access to a locked desktop. However, the vulnerability has been patched.
The dad who goes by the username “robo2bobo” on the GitHub forum explained the incident, stating that he gave his two kids the allowance to hack his Linux desktop and stood behind them watching what they were doing.
The bug report revealed that the children passed random keys on both the on-screen keyboards and physical keys, which ultimately resulted in the crash of the Linux Mint screensaver.
“I thought it was a unique incident, but they managed to do it a second time,” the GitHub user reiterated.
He said he was not successful even after trying to recreate the lock on its several times.
He also said after the desktop was unlocked, it seems the lock feature became faulty as he couldn’t luck it again. The screensaver process was completely non-functional and required the user to run the Cinnamon screen saver for it to work again.
The vulnerability is linked to the on-screen keyboard
Clement Lefebvre, the Linux Mint lead developer, said the problem is connected to the on-screen keyboard (OKS) known as libcaribou, which is shipped with a Cannamon desktop interface.
In another word, the vulnerability usually happens when the user presses the “ē” key on the on-screen keyboard.
He also noted that generally, the vulnerability crashes the Cinnamon desktop process in most cases. However, the vulnerability crashes the onscreen saver if the user opens the on-screen keyboard via the screensaver.
Robo2Bobo tried to recreate the actions that led to the crashing of the onscreen saver, but he wasn’t successful, as the cracking process requires something the two kids mistakenly did.
The bug has been patched
According to the developer, the vulnerability affects most software that uses the OSK component libcaribou and Cinnamon 4.2+ version.
But he said the vulnerability has been patched and users need to update their systems as soon as possible before threat actors take advantage of any loophole.
The patch was released on Wednesday last week to correct the vulnerability and prevent any exploitation in the future.
The developer also hinted that the team is working to provide a setting that can disable the on-screen keyboard. That way, any future issues can be solved easily without waiting for a patch.
The finding shows that hackers may not necessarily be too sophisticated before breaking or cracking a security protocol. The kids hacked into the screensaver by sheer luck, which indicates that vulnerabilities can exist in any form but stay hidden because they’ve not been exposed.
Users are advised to patch their systems
The vulnerability the children discovered has opened a highly critical bug exploitation avenue for cybercriminals to bypass a screensaver password and have access to locked desktop computers.
The bug seems to affect all releases of the Linux system, but it seems more apparent and exploitable on the Debian Edition and the latest Linux Min 20 series.
This is not the first time the Linux Mint system, touted as one of the most secure software, has been hacked. In 2016, all the original files of the distribution site were replaced with a backdoor after it was hacked. At the same time, the Mint’s forum was also compromised, as the threat actors gained access to user’s email and their encrypted passwords.