On Sun, Mar 17, 2013 at 12:21 AM, Kevin Kofler <kevin.kofler(a)chello.at> wrote:
Gilboa Davara wrote:
> While testing 4.10/f17 I decided to try out the new lock screen.
> The widget lock screen is indeed nice, but there's a major security issue:
> An unauthenticated user can access the lock-screen setting and change the
> background. (cashew->settings).
Changing the background is a "major security issue"?!
*Of-course* it is!
Cashew -> settings -> add -> file dialog opens.... and you have
complete (!) access to the machine's file system.
I wonder whether adding ihatethecashew to the widget lock screen would work.
(I guess not, it needs to declare that it is safe for the lock screen to be
authorized.)
Interesting idea.
Kevin Kofler
In-short, sounds like an upstream bug.
I'll report it and post a link.
- Gilboa