Bug 330602

Summary: security flaw in design of the plasma widgets
Product: [Unmaintained] kscreensaver Reporter: Ritesh Raj Sarraf <kde-bugs>
Component: locker-qmlAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: major    
Priority: NOR    
Version First Reported In: 4.11.5   
Target Milestone: ---   
Platform: Debian unstable   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Ritesh Raj Sarraf 2014-01-31 07:50:40 UTC 
When using plasma on the lock screen, a user can bypass the lock screen and get access to the user's data (with the permissions inherited from the running user).

All details in this video: https://picasaweb.google.com/lh/photo/PkIjj0jE__Bt92Eh8eBr_dMTjNZETYmyPJy0liipFm0?feat=directlink

Reproducible: Always

Steps to Reproduce:
1. Lock your screen
2. Add a wallpaper / pictrue frame widget to your lock screen
3. Now right click to check the option "Save picture / wallpaper"
4. The file open window gives you full privileges of the running user.
Actual Results:  
Full access to the data using the File Open Interface

Expected Results:  
When called from the lock screen, the access should be limited.
Comment 1 Martin Flöser 2015-01-26 09:21:37 UTC 

*** This bug has been marked as a duplicate of bug 316893 ***