Screen Sharing should offer support for securing keyboard input

Originator:jalkut
Number:rdar://19189946 Date Originated:12/9/2014
Status:Open Resolved:
Product:OS X Product Version:10.10.1
Classification:Security Reproducible:Always
 
Summary:
Currently a nefarious process on Mac OS X can use CGEventTap to obtain access to all the typing made by a user to a Screen Sharing session. This means that such a process can observe even the typing that goes into a text field that is being "secured" on the other system. Users would reasonably assume this information is being secured unless they have a good understanding of the abstraction between the remote system and the local system.

I think it would make sense for Screen Sharing to support a similar option to Terminal.app's "Secure Keyboard Entry," and that perhaps it should be enabled by default. Because the events being entered into a remote screen sharing session are by definition more pertinent to the remote session, I don't think there is a great risk of interfering with valuable event-tapping mechanisms by securing input by default.

Steps to Reproduce:


Expected Results:


Actual Results:


Version:
10.10.1 (14B25)

Notes:


Configuration:


Attachments:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!