Password security flaw in Mac OS X Screen Effects

With the help of MacFixIt reader Mark Bogdanoff, we have been investigating a potentially serious issue in Mac OS X's Screen Effects password protection.

We previously noted that if you have Energy Saver set to put your monitor to sleep sooner than the screen saver is to appear, the previous state of your display - complete with all open windows - is shown for a brief period before the screen saver dialog box prompting for a password pops up.

The new issue allows applications to be freely quit or launched - while Mac OS X's Screen Effects is prompting for a password.

If you have Full Keyboard Access turned on (available under the Keyboard pane in System Preferences), the dock can be accessed "blind" from behind Screen Effects - you can't see the dock, but some functions using it are still accessible. On our in-house system, we have the Dock set to appear when the "Control-F3" keyboard combination is pressed.

When Screen Effects prompts for a password, pressing this keyboard combination will move the cursor out of the pop-up prompt dialog box, and onto the Dock (which is not visible). Pressing tab to switch applications, and then pressing "Q" will cause applications to quit. Likewise, pressing "Return" will cause applications to launch.

This issue significantly undermines the protection level offered by Screen Effects. If you choose to use this method of password security, make sure that Full Keyboard Access is turned off.

Feedback on this issue? Drop us a line at late-breakers@macfixit.com

Resources