Login Spoofing

From Whonix



It is possible for Malware to masquerade as a login prompt in order to steal login passwords. This attack supposes an advanced threat model:

  1. A system is configured with a limited user (user "user") which utilizes a graphical X Window System session that is different from the user with root/sudo permissions (user "admin").
  2. The limited user is compromised at some point by malware.

Note: If there is only one user account which also has sudo/su access, malware can sniff the administrative password and it is unnecessary to utilize an advanced login spoofing attack.

Security Benefit of Compartmentalization[edit]

Under many threat models the compromise of the limited user account is considered catastrophic, since running malware:

  • has full access to all user-accessible files
  • can view all keyboard inputs and take over login sessions
  • may present false information on the screen
  • can perform other malicious actions, see: The Importance of a Malware Free System

However, if multiple (virtual) machines are used for compartmentalization the harmful impact of malware might not be catastrophic. For instance, other goals of this configuration include prevention of root compromise to help protect the virtualizer and avoid host compromise, and similarly to avoid a hardware compromise. This is further elaborated in the rationale section of the Safely Use Root Commands wiki chapter.

A broken X Window System can block switching to a virtual console. It logically follows that malware which has compromised the X Window System can also perform this action. In this case the SysRq + r combination can take away control from the X Window System. [1] This is a safer procedure, otherwise a compromised X Window System could just be simulating a virtual console login prompt in order to sniff an account login password with root access. (login spoofing in Wikipedia [archive]).

SysRq + k (Secure Access Key) can be used to defeat login spoofing because it will terminate all programs on that virtual console.

Quote Linux Kernel Documentation [archive]:

Sak (Secure Access Key) is useful when you want to be sure there is no trojan program running at console which could grab your password when you would try to login. It will kill all programs on given console, thus letting you make sure that the login prompt you see is actually the one from init, not some trojan program.

Quote Linux Kernel Secure Attention Key Documentation [archive]:

An operating system's Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.

Taking steps to defeat login spoofing probably only makes sense when also performing actions to Prevent Malware from Sniffing the Root Password.

See Also[edit]


  1. This is because the Linux kernel removes control of the X Window System from the console. The Linux kernel has higher privileges than the X Window System.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Login spoofing&body= link= spoofing link= spoofing link= spoofing%20 spoofing

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.