SUMMARY When fingerprint is configured, launching pkexec will prompt for my fingerprint, I can send this window to the background which could serve an attacker to do some malicious actions on my behalf. STEPS TO REPRODUCE (On a machine with fingerprint authentication configured) 1. Open a terminal 2. Run "pkexec whoami" 3. Observe the PolicyKit dialog 4. Send the dialog to the background 5. Tap the fingerprint reader OBSERVED RESULT The terminal will display root although the PolicyKit window wasn't even focused. EXPECTED RESULT The fingerprint should be handled only when the PolicyKit dialog is focused and in the front, otherwise the fingerprint should affect. SOFTWARE/OS VERSIONS Operating System: Kubuntu 24.10 KDE Plasma Version: 6.1.5 KDE Frameworks Version: 6.6.0 Qt Version: 6.6.2 Kernel Version: 6.11.0-13-generic (64-bit) (Although irrelevant) ADDITIONAL INFORMATION The CVE is much wider but this is one of the ways to exploit this vulnerability in KDE (Doesn't happen in GNOME).
Please see https://kde.org/info/security/ the next time
Bug report is valid. Arguably if you have executable code that can launch pkexec and manipulate window stacking order one could do a tonne of other attacks anyway so not more urgent than the known state, but the known state isn't exactly great. Ultimately we need to be treating this auth dialog to be a fully blocking system component, like how the lockscreen works.
Sorry about reporting the wrong way. Although blocking the screen is a good option there's another way which is implemented in Mac, the fingerprint is being recognized only if the authentication screen is focused, I'm not sure it's possible. I can try and put my hands on some screenshots.