Unexpected window focus stealing - exploitable?

Today I encountered an unexpected behavior of the window focusing logic.

I am no security expert, but it made me wonder if one could craft some kind of secret extraction exploit from this as it is really unintuitive.

TL;DR

A window opened in the background while the focus is on a dom0 VM selection dialog (like the one opened when running qvm-copy) will automatically obtain focus after the dialog is closed, even if a separate distinct VM had the focus before.

prerequisite

I tweaked the window manager settings not to give focus to newly created windows (Start menu > Gear Icon > “System Settings” > “Window Manager” > “Focus” > “New window focus” > “Automatically give focus to newly created windows”).

For me this is crucial as I often type in sensitive information whilst already opening new qubes for later tasks.
Without this feature I would unintentionally type the sensitive information into new qubes that have been auto-focused (imho preventing focus for new windows should be the default setting).

steps to reproduce

  1. Create 2 AppVMs, both based on fedora-40-minimal: AA-TEST-focus-steal and AA-TEST-focus-stolen.
    The focus stealing should work with any window, even a dom0 terminal.
    AA-TEST-focus-steal is the VM that obtains the focus, AA-TEST-focus-stolen is the VM that initially has the focus and loses it.
  2. In AA-TEST-focus-steal execute sleep 10 && xterm.
  3. Whithin the next 10 seconds, in AA-TEST-focus-stolen execute qvm-copy /home/user/.bashrc (some command opening a dom0 VM selection dialog).
  4. Wait for the xterm command from step 2 to be opened.
  5. Close the selection dialog (press cancel or select a VM, does not matter).
  6. Now your focus is in the newly opened xterm of AA-TEST-focust-steal, although it was on AA-TEST-focus-stolen before opening the selection dialog.

For me, muscle memory forced me to automatically type in exit as what I was doing was a daily routine including copying a file and closing the terminal immediately after.
The fact that I closed the wrong terminal left me confused for a couple of seconds.
If I had typed in something more sensitive I would have leaked this information into another VM.

Of course better caution about focus can prevent such an information leakage, but is this actually expected behavior or a bug?

speculation about the cause

I am not a GUI developer, but here is my two cents:

I suspect that this is not incorrect behavior of the window stack itself (when closing a window, the one below is focused), but maybe the newly opened AA-TEST-focus-steal window is inserted at the wrong position?
In my opinion it should be inserted beneath the AA-TEST-focus-stolen window that caused the dom0 selection dialog, but it seems to be inserted above it and directly below the selection dialog.

What the window stack looks like:

[dom0 selection dialog] <--.
      |                    |
      |focuses on close    |
      V                    |
[AA-TEST-focus-steal]      |"opens"
      |                    |
      |focuses on close    |
      V                    |
[AA-TEST-focust-stolen] ---`

What I expected it to look like:

[dom0 selection dialog] <--.
      |                    |
      |focuses on close    |"opens"
      V                    |
[AA-TEST-focust-stolen] ---`
      | 
      |focuses on close
      V
[AA-TEST-focus-steal]

I think it’s a bug and should be fixed.
You should report this on github if you have an account there because devs can miss this forum topic but they won’t miss the guthub issue:

1 Like

I do not have a github.com account atm, creating one is not possible for me, I tried.

For anyone who is able to access github and is willing to report this issue, feel free to do so.