Oh, wow - I've reported this problem along with na example exploit to Apple about 6-7 years ago. Never got any recognition for it, but It was fixed some time after that. It's quite sad to see old bugs getting new lives like that.<p>For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.
With no disrespect to the developers at Apple, et al, each one of these problems that goes viral before reaching “proper” channels is a well-deserved slap in the face of these behemoth organizations.<p>Perhaps, if the entire tech community regards Apple as a joke, they will start paying attention.<p>“Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
Not to pile on, but my MBP (with "TouchBar" which will assuredly not exist in another year) is always in clamshell mode and connected to two external LG 4K displays. Whether, on which screen(s), or in what state the Mac wakes each morning is completely random. Sometimes it doesn't wake at all. Sometimes I have artifacts on one screen and a desktop on another screen. The sleep/wake sequence is a complete mess, and it doesn't surprise me that the focus might sometimes be on apps running in the user session behind the lock screen.
FWIW this is a known security bug at Apple. I filed a bug about similar behavior where you can see the desktop briefly without logging in. Apple marked it as a duplicate. <a href="https://imgur.com/YxXtU2y" rel="nofollow">https://imgur.com/YxXtU2y</a><p>Here are the steps to reproduce:<p>- Start Mac<p>- Login<p>- Turn on Screen Lock: System Preferences > Security > General > Check "Require Password" and Select 5 Seconds.<p>- Turn on Hot Corner Sleep Display: System Preferences > Mission Control > Hot Corners > Select upper left > Put Display to Sleep > Ok<p>- Attach external monitor<p>- Activate hot corner by dragging mouse to upper left corner of screen<p>- Wait 6 seconds<p>- Click the mouse to trigger waking the screen<p>- See brief flash of the desktop without logging in!
So, Apple has the most available cash resource of any company out there (or at least close to). Yet, bugs galore, and strange product decisions. The obvious conclusion is that their management is failing to staff accordingly to the work that needs to be done. This could be because they are not aware that work needs to be done, which means engineers are not telling them, or that the management is not succeeding in hiring enough people to do the jobs.<p>My gut instinct says that a some former people at Apple used to do a lot of undocumented QA work and sanity checks, and that as the company has grown and changed, nobody picked up the slack when they left. Now, they'll have to go through a formal process of re-identifying QA steps that need to exist, and hiring against them. It's been a hell of a month for them, though.
I did something similar too - I was typing in the password while the Mac was being unlocked by the watch using that unlock-with-the-watch feature.<p>I was used to hammering return a few times to wake the machine up, then typing in the password, then hitting return again.<p>The few times I hammered return woke the machine, the watch unlocked the mac and the password plus the return key went into the app that had focus which for me also was Slack.<p>Is it possible that this user had the same thing happen to them? When I disable the watch unlocking, I can't make the password go anywhere but into the login screen (10.13.1 here with last weeks security update applied)
These lock screen issues go back further than 10.13, I believe it was 10.10 or 10.11 my child was able to bypass the lock screen by mashing on the keyboard while the screensaver was fading out the login dialog.<p>I witnessed it. I was not able to reproduce it in 10-15 minutes of testing. She did NOT type in the password. Just banging on the keyboard, playing with the screensaver.
Lock screens are harder than they first appear: www.jwz.org/xscreensaver/toolkits.html (Which, you'll note, mentions this exact failure case in the "Transfer Grabs?" section.) There's some X-specific stuff in there, but there's a lot of general issues in there, and with just a bit of imagination most or all of the X-specific issues can be seen as general issues as well.
Left Slack open with focus, allowed MBP to sleep, woke with space bar, login field had focus, tried with closing lid and opening while Slack was open and focused, again password field functioned as it should, unable to reproduce, macOS 10.13.2
I have slow Macs that I share with family.<p>I've seen similar behavior when switching users. The full-screen password entry login comes up, but focus is still on regular apps.
I often wonder how many authentication log files contain passwords because people in a hurry append it to the username on accident (not visually confirming the Tab/Enter/switch to the password entry).<p>This is also vaguely similar to the 'test SSL submit' security technique of first entering enough data into login forms to process a submission, and then entering real login info into the 'login failed' retry page after verifying SSL. This has lost some of its luster as non-SSL form submission has fallen out of wide usage.
Say what you want about Windows, but no amount of sneakery can steal input focus from Winlogon window station (yes, there's a separate kernel object for that in NT/Win32K).
This has been a very sporadic issue that I've seen once or twice per year at most, for quite a while with OS X - somehow, another window is able to steal focus from the login screen. I've never been able to reproduce it reliably or find a common element in all of the times it has happened, but it definitely has happened to me and I've also seen co-workers dropping their login password in a chat window due to this. But it is pretty rare, so hard to pin down.<p>I've also noticed another thing happening more lately - locking the screen, only to have it automatically unlock itself a second or two later. I always have to make sure it actually stays on the screensaver for a few seconds before I trust it will actually lock.
I'm really bothered. While I had relatively no issues with the fresh OS X update, I'm having a hard time with the iPhone 7 and the new iOS that is supposed to run their flagship device: iPhone 10.<p>While most of the bugs have disappeared with the recent update, there are still some minor ones that really pisses me off: Screen freezing unresponsively for 30-60 seconds before things get back to control; and music playing randomly (happened a few times. Everything calm. Boom, music starts to play).<p>I'm pretty sure this mess wasn't here before the update to iOS 11.<p>Edit: Just found there is a new update. Let's see if they are getting their shit together this time.
I have had this happen with 10.12 and 10.11 on rare occasions. To my knowledge, I'm not doing anything different on the occasions that it does happen.<p>It wasn't Slack-specific as I've only started using Slack recently.
Although this bug still sucks, the class of problems of pasting passwords into chat may have a simple, worthwhile, and general solution. A colleague at a former company always changed the key bindings is his IRC/Jabber client to include a control key with Return for sending a message. Does Slack have this option?
I also typed my apple id password to my peer, not into chat, but into another mac in the same room. Mac keyboards can disconnect and connect to wrong devices if used with them once.<p>That specific setting was: my keyboard was used to setup his mini, mini was turned off and on later. My keyboard, already properly reconnected to my mac at that time, disconnects on timeout (or for whatever reason it does that few times a day). Mini “grabs” my keyboard when it goes back on air. I wake my sleeping mac via trackpad and try to type my password into focused password field. Non-obviously, no characters appear on <i>my</i> screen.
Definitely done that before. Sent my password through Messages to a friend. After that, I learned to keep the finder or a web browser as the thing in focus before I lock my computer.
Last week I was resizing a window in High Sierra, and I noticed that the Chrome app in the background was also scrolling. That was completely unexpected. It's long been the case that the window doesn't need to be on top for this behavior, but in this case it wasn't just a focus issue, it was that I was in resize mode. Completely jarring when it happened, but seems related.
Sounds like the assumption is that the lack of focus means that the first password got sent to Slack? But it seems more likely that it was the second entry of the password that was sent to Slack, and it was just that the keyboard input was being buffered? (So the first password-enter eventually got processed, and then the second one got processed but after unlock.)
A similar thing happens to me sometimes with 1Password on the web. I'll click the extension's icon and type in my password and realize I'm typing it into a text box on the webpage. I've tried to reproduce it and I can't, so I have no idea what the issue is. It freaks me out though.
Microsoft employee saide.
"Same issue as with using windows 10 with multiple monitors/screens."<p><a href="https://us.teamblind.com/article/wtf-apple-uBXwbJMc" rel="nofollow">https://us.teamblind.com/article/wtf-apple-uBXwbJMc</a>
I had this bug once a long, long, LONG time ago, since then my password is a sentence that's doesn't look like a password. Of course I'd still change it if it went out to slack :)
I'm always worried about this too... sometimes my session doesn't lock because I was watching a video and I go ahead and type my password before looking when I come back (some websites log all keystrokes).
Not surprised by these bugs any more.<p>The sheer amount of bugs in High Sierra is ridiculous, with the exception of the root password bug, I've personally experienced the following bugs with my Thunderbolt display:<p>* In 10.13 or 10.13.1 the built-in web camera was broken. The video would freeze after a few seconds when attempting to use the camera in FaceTime. This was fixed in 10.13.2.<p>* In 10.13.2 USB audio devices connected to the TB display no longer work properly. After playing audio through the device (USB DAC in my case) for 30-60 seconds, some sort of interference/electrical noise appears for 5-10 seconds every minute or so. I assume this has something to with "Improves compatibility with certain third-party USB audio devices." from the 10.13.2 release notes.
I worked at an open source shop where almost everyone ran Linux and used IRC for chat. For a while I made the mistake of having the screen black time lower than the screensaver timeout, so I'd unlock my screen and see my password go out in IRC. I ended up changing my password to something that looked like a shell command.
The quality of the software and the sacrifice of key functionality in the hardware (dropping of MagSafe, which was a huge differentiator, going to just USB-C ports which almost nothing supports, not even Apple's own in box phone chargers) demonstrates that Apple is purely a design house lately. It has completely faltered on the engineering side. Tim Cook is not an engineer and Jony Ive is not an engineer. There are engineers at the company but they don't seem to be getting a seat at the big table.
on .2 already. Never had an unwatch to unlock. The ghost typing happened to me yesterday. I never found out what got my password. hopefully it wasn't slack. I assumed it just went to the "root window" (does quartz have the same concepts as X?) of the lock screen<p>I usually press control key to wake up every computer (shift doesnt work on some). that one time I woke it up by tapping on the touchpad.
Windows handles this nicely with User Account Control (UAC) and Secure Desktop mode.<p>Many of OSX's problems come from trying to shoehorn security on top of operating system concepts that were developed in 1969.
Apple has a bug bounty program where they'll legitimately pay you to report bugs directly to them. What's with everyone reporting them to Twitter instead and forgoing the extra cash?