Simple Ubuntu 14.04 lock screen bypass discovered

A user has discovered an embarrassingly simple security security vulnerability affecting the latest version of Ubuntu, which allows snoops to bypass the lock screen.

Throwing sophisticated hacks and brute forcing to the wind, one enterprising user found that password protection on machines running Ubuntu 14.04 could be bypassed by simply holding the enter key for about 30 seconds which crashed the system.

Developers worked quickly to issue a fix for the flaw described as 'critical'.

User Marco Agnese reported the bug to the Ubuntu bug list page.

"I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold 'enter' after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked," Agnese wrote.

Adam Conrad, a software engineer with Canonical (which markets Ubuntu), said the flaw was "borderline unforgivable" and the platform should have never restarted unlocked after a crash.

"To be clear, the 'always restart locked' half of the fix is the more important bit," Conrad said.

"The crash is embarrassing, but crashes will happen, and we'll find others. Having it restart unlocked is bordering on unforgivable, and we should focus on fixing that first."

Another user said the bug "broke trust" for users that had explicitly locked their screens, making it much worse than an existing bug which merely prevented screens from locking.

Kayne Naughton, local security professional and founder of Asymmetric Security, said the design of the now 30 year-old X Window System underpinned much of the problem.

"One of the big underlying issues comes back to X11 being 30 years old and designed for a friendlier time," Naughton said. "They are building layers and layers of technology on top of each other."

He said the flaw was most problematic for the albeit rare instance where users with remote KVM (Keyboard Video Mouse) setups do not use passwords, meaning they relied on the operating system to locked machines.

That scenario would be worsened for users of internet-facing KVMs.

He said MAC OS X had a similar problem in previous years where passwords thousands of characters long would crash the platform.

"It's a shame to see history repeating."