Closed Bug 1265319 Opened 4 years ago Closed 4 years ago

Possible to circumvent lockscreen by swiping it away before it is visible


(Firefox OS Graveyard :: Gaia::System::Lockscreen, defect)

Gonk (Firefox OS)
Not set


(Not tracked)



(Reporter: listenleser, Unassigned)


First of all, I know that this report isn't ideal, but alas, I can't do better. This happened to me only once on a Alcatel Onetouch Fire E with FFOS 2.0. I can't reliably reproduce, and I can't test whether this bug still exists in current versions (as you can't test it in a simulator, and I don't have a device with a newer version).

Steps to reproduce:
1. Make sure you have the lockscreen with a passcode enabled.
2. Switch your phone off and on again (probably restart will also work).
3. Wait until the booting is nearly finished (On my phone there are 3 different phases, first "Alcatel Onetouch Fire E" is shown, than the fox with burning tail, and finally the FFOS logo. Wait until this last phase).
4. Swipe right (like you would do to disable the lockscreen).
5. Swipe down (like you would do to open the status bar).
6. Wait until booting finishes.

The lockscreen should show, and ignore any swiping that happened before it was visible.

Once the above steps caused the home screen to show up, with the status bar open (I don't know whether I could have omitted step 5, and still got into the home screen). So I could use the phone without entering the passcode.

Most of the time the above steps cause the lockscreen to appear, but with open status bar (note that normally, you can't open the status bar when the lockscreen is visible). This allows access to the quick settings without the passcode. Note that it does not give access to all settings, you can tap the symbol, but the app will open behind the lockscreen, so it is save.
Christiane, does this look like something related to bug 1188934? The triage team is wondering if this is a duplicate or a new issue.
Flags: needinfo?(cr)
Yes, you are correct: this is a duplicate of bug 1173284 (tracking bug 1189314). It was fixed in 2.5 and backports were issued for 2.1 and 2.2, but the decision was made to not backport to 2.0.

I am marking this as duplicate.
Closed: 4 years ago
Flags: needinfo?(cr)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-8511
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.