In hacker culture, a script kiddie is someone who possesses little to no technical skill themselves. Rather than creating their own tools and techniques, they utilize existing scripts or tools in order to vandalize websites or trick unsuspecting Internet users into entering their credentials into a fake login form. In a literal sense, script kiddies aren’t actually “kids”. However, while listening to a cybersecurity podcast recently, I heard something that may argue otherwise.
The podcast I am referring to is the Day[0] podcast, specifically episode 60 titled “Breaking Lock Screens & The Great Vbox Escape”. A little over thirty minutes in, one of the show hosts, Specter, mentions a lock screen bypass in Linux Mint, one of the various distributions of the Linux operating system. What caught my attention wasn’t the bypass itself, but how and by whom said bypass was carried out. No, it wasn’t an exploit discovered by a Nation-State, nor was it Google’s Project Zero team, it was simply two children.
I went ahead and found the actual issue posted by Github user “robo2bobo” (who I will refer to as R2B) on the linuxmint/cinnamon-screensaver repository, which hosts the code for the Cinnamon desktop environment’s screen locker and screensaver program. A desktop environment is, in its most basic form, a bundle of programs running on top of an operating system, such as Mac or Windows, that provide common graphical user interface (GUI) elements. The issue, titled “Screensaver lock by-pass via the virtual keyboard”, offers further insight into how two kids were able to “discover” this exploit. R2B explains that their kids were interested in hacking into their parents Linux desktop, and with permission began typing random keys and clicking all over the screen. To R2B’s surprise, this behavior caused the screensaver to crash, allowing the kids to bypass authentication and unlock the desktop. In the world of cybersecurity, this technique is known as “fuzzing”, in which random data is provided as input to a computer program in hopes of causing unexpected behavior, such as a crash or memory leakage. Jumping back to our definition of script kiddies, there is no better term to describe the discovery of this vulnerability. Kids with no technical knowledge whatsoever were able to “hack” their way into their parents computer simply by mashing random keys on the keyboard and clicking like no tomorrow.
Clement Lefebvre, the man behind Linux Mint, commented on the issue. He reported that this vulnerability affects all Linux distributions running the Cinnamon desktop environment, specifically version 4.2 and up, as well as any software that uses libcaribou (an on-screen keyboard library). Clement goes on to clarify that the specific cause of the crash is due to pressing “ē” (by clicking and holding on the “e” key) on the on screen keyboard. Clement mentions that this is a “high priority bug”, and that a fix should be expected soon. As of writing this post, that comment was made 13 days ago. Until a fix is implemented, keep your kids away from your keyboard and mouse, or anyone for that matter.
Sources included in this post can be found at:
https://dayzerosec.com/posts/episode-60
https://googleprojectzero.blogspot.com/
https://github.com/linuxmint/cinnamon-screensaver/issues/354