Security: locking screen does not prevents applications receiving images and sound from laptop's camera and microphone
Affected version
$ cat /etc/fedora-release
Fedora release 34 (Thirty Four)
$ rpm -q gnome-shell
gnome-shell-40.1-1.fc34.x86_64
$ echo $XDG_SESSION_TYPE
wayland
Bug summary
Locking the screen prevents the laptop's keyboard, mouse, touchpad, touchscreen and screen from interacting with running programs; but locking the screen leaves the microphone and video camera able to interact with running programs. This inconsistency is unexpected, and so has the potential for information leakage: no one expects a 'locked' computer to be sending video and sound and so people may be inclined to believe they are in a private situation. This is particularly an issue when the screen is locked whilst using videoconferencing programs.
Steps to reproduce
- gnome-sound-recorder
- Press Record and start counting out loud
- Press Lock, say "lock" and keep counting
- Unlock the computer, say "unlock" and keep counting
- Stop recording.
- Review recording, counting can be heard between the words "lock" and "unlock".
Similarly for video with the "cheese" video recorder.
What happened
Unexpectedly, video and sound applications kept obtaining data from the laptop's surroundings even though the laptop is locked. This can is unexpected because programs cannot obtain data from some other devices whilst locked, such as keyboard or mouse.
What did you expect to happen
Video is blanked and sound is silenced whilst the laptop is locked.
Relevant logs, screenshots, screencasts etc.
This is a security issue, because of the potential for information leakage increasing with the rise in use of videoconferencing programs.
I'd note that this isn't the duty of applications to resolve. Applications, particularly websites, should not be that trusted.