As reported by The H, a vulnerability in Xorg has been discovered that, on affected systems, allows anyone to unlock a locked computer without knowing the user’s password.

The French blogger “Gu1″ has discovered that versions 1.11 and above of X.org’s X Server contain an interesting vulnerability that enables users to gain access to a locked computer. Simultaneously pressing the Ctrl key, the Alt key and the * key on the numeric keyboard disables a user’s screensaver and unlocks the computer.

According to Gu1, the problem is caused by the “AllowClosedownGrabs” debug option: if it is active, pressing the key combination causes any processes that grab mouse or keyboard inputs to shut down – in this case, the screensaver that usually prevents a locked computer from being accessed. Gu1 says that the function had existed up to 2008, but at that time it was disabled by default and well-documented. Apparently, the developers even explicitly pointed out the potential security issues that may exist when used in combination with screensavers. Developers were also able to use an API to disallow the function for their processes. The function was re-introduced last year – “but this time it’s enabled by default, not clearly documented and not even configurable easily”, noted the blogger. X.org developer Peter Hutterer says that this was caused by a miscommunication within the development team: after the function was re-introduced, the developers failed to remove the keyboard combination from the default keymap.

Comment on this article via Google+.

As reported by The H, a vulnerability in Xorg has been discovered that, on affected systems, allows anyone to unlock a locked computer without knowing the user's password. The French blogger "Gu1" has discovered that versions 1.11 and above of X.org's X Server contain an interesting vulnerability that enables users to gain access to a locked computer. Simultaneously pressing the ...