Suppose a desktop OS has a lock screen and fades and locks after inactivity. Suppose the default appearance and inactivity duration are well known (eg consider a default installation of some popular version of Linux). Is there something I'm missing that prevents the following attack?
- Create a webpage which entices the user to view at full screen for some time without input (eg a video player)
- Shortly before the inactivity timer fires, mimic the fading screen and login prompt.
- User attempts to log in as usual, providing their credentials to the webpage (additionally the user input resets the real inactivity timer).
The fake lock screen could probably not prevent the user reaching the real lock screen via a keyboard shortcut (eg Ctrl-Alt-L). However if the user believes they are already at the lock screen, there is no reason for them to do this.
Background: My employer recently deployed a custom lockscreen. I and others (who missed the announcement) were suspicious of an unfamiliar password prompt. It was suggested the concern is unfounded because changing the lock screen already requires significant privileges. However I don't see how this rules out the possibility of a user-space program faking a lock screen (admittedly the appearance was significantly different, so if it were an attempted imitation it would be a poor one).
