| Summary: | Using "focus follows mouse" can cause dialog to get de-focused and then the user might write their password into another window | ||
|---|---|---|---|
| Product: | [Plasma] policykit-kde-agent-1 | Reporter: | Reuben <kde> |
| Component: | general | Assignee: | Unassigned bugs mailing-list <unassigned-bugs> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | drf, jgrulich, jreznik, nate |
| Priority: | NOR | Keywords: | usability |
| Version: | 6.0.0 | ||
| Target Milestone: | --- | ||
| Platform: | Other | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Attachments: | demonstration | ||
I figured out how this happens. The "update all" button is in the top right of the window. With focus follows mouse, you are used to ...focus being under the mouse... so by default you move the cursor to the dialog. If you are slightly sloppy about this, discover grabs focus and your password goes into the wrong place. It's no the kind of thing that happens if you are being slow and deliberate, but if the whole thing (move mouse, type password) is done on autopilot very quickly, it can happen (and as above, has done for me half a dozen times or so in the past couple years.) |
Created attachment 166790 [details] demonstration With focus follows mouse, it's quite possible to inadvertently type your password somewhere that you didn't intend. This is particularly odious with apps that (might) keep history, e.g. Discover. See attached video for demonstration. I've done this probably half a dozen times with Discover in the past two years, so this is not theoretical. Users who don't realize that some applications write history to disk in plain text may not change their password when this happens. The sudo dialog should somehow protect against this. One possibility would be to own the glass of the screen and prevent background typing (though, maybe some users copy/paste passwords from password managers? - but this could be accomodated for with a button to dismiss the sneezeguard, since it's an exception to the general usage pattern). Another possibility would be to detect loss of focus and react very prominently, e.g. by highlighting the sudo dialog.