Security Flaw in Folding@Home screensaver

The Folding@home distributed processing screen saver which works through Mac OS X's Screen Effects, has a potentially serious security flaw that bypasses the screen saver password.

MacFixIt reader Jonathan Greenberg writes:

"After the screen saver engages and I've enabled password protection, moving the mouse flashes the password dialog for a split second and then I'm back to my desktop (e.g. the password protection does not work). Oddly, if I activate the screen saver via a hot corner, the password protection works as usual."

In-house testing showed that we could simply press "Cancel" on the password prompt, then click repeatedly in the background, and the desktop appeared as normal.

So if any measure of your system security relies on screen saver password protection (which has other already documented security flaws), do not use the Folding@Home client.

Feedback? Drop us a line at late-breakers@macfixit.com.

Resources