Unprivileged application is able to bypass GNOME Lockscreen
Known affected versions:
- OS: Fedora Silverblue 39, Fedora Workstation 39, Bazzite-GNOME 39
- GNOME Shell Version: 45.4
- Appears in: XORG & Wayland
- Happens without extensions: Yes
Bug summary
This issue was reported by a Bazzite user earlier today. An unprivileged application (joystickwake) that Bazzite includes to prevent the screen from blanking on HTPCs, is able to skip the lock screen entirely. This is also reproducible on stock Fedora installs simply by installing joystickwake.
Steps to reproduce
- Install joystickwake (https://github.com/foresto/joystickwake)
- Connect a controller
- Lock the screen
- Press any button or move any stick to skip the lock screen and enter the desktop
Alternative
- Open a Terminal
- Run the command:
sleep 10; dbus-send --type=method_call --print-reply --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false
- Press Super + L to lock the screen
- Wait up to 10 seconds and the screen unlocks on its own
More details
Video of the problem can be found at: https://www.reddit.com/r/gnome/comments/1bq2zl1/bluetooth_controller_can_bypass_gnome/
The source code for this application can be found at: https://github.com/foresto/joystickwake
This is a security risk since other applications could replicate what this is doing and render the screen lock pointless.
Edited by Kyle Gospodnetich