I think I may have stumbled across a security problem in OS X on my Macbook. To recreate it, you need to satisfy the following conditions:
- Enable locking the screen after waking from sleep or screensaver
- Connect to an 802.1x-authenticated wireless network. Don’t set to remember password.
- Shut the lid to put it to sleep
- Open the lid to wake it up. There will be a time during which the screen backlight is on, but the screen is displaying plain black before the unlocking password box appears. During some of this time, any keys you press will be sent to the 802.1x authentication window, which is “behind” the black screen, as it also appears upon waking. The timing is hard to get right though.
- These screenshots show the two states of the unlock box. Apologies for the quality – can’t take screenshots while locked so had to take a photo 🙂
- After a second, the unlocking password box will appear. If you got your timing right, it will appear without focus. In this case, your keystrokes are still being sent to the 802.1x password box which has focus, despite being invisible. You also have the ability to press Tab to move between fields and Return to submit. This gives you the ability to authenticate someone on a wireless network using any credentials! When they come to unlock their Mac, there will be no obvious indication that they’re authenticated on a wireless network as someone else.
- This next screenshot shows what the 802.1x box looks like, after unlocking. As you can see, I’ve entered the word hello through the locked screen!
I spotted this bug accidentally on my Mac when I was a bit hasty typing in my unlock password, and was shocked to see it appear in the 802.1x username box after I unlocked successfully.
I’m using Leopard, 10.5.7. I’d be very interested to hear from anyone who can recreate this bug on other versions of the OS.
I’d be ever more interested to hear from anyone who figures out how to enter keystrokes through a lock screen to an arbitrary application. I’ve tried this, and Control+Tab doesn’t work, so you can’t immediately switch to other windows. I’ve also tried successfully entering my 802.1x credentials through the lock screen to dismiss the 802.1x box, but after that my keystrokes are not accepted.