Security Concerns with X11 Forwarding

The implication of X11 forwarding is that it opens a channel from the server back to the client. In a simple SSH session, the client is more trusted than the server: anyone in control of the client can run commands on the server (assuming shell access), but the converse is not true. With X11 forwarding, the server is likely to gain shell access to the client.

In a text session, there is a limited channel from the server back to the client: the server determines the output that is displayed on the client, and can in particular try to exploit escape sequences in the terminal running on the client,

In an X11 session, the server can send X11 commands back to the client. X11 was not designed with security in mind, it was designed with the idea that all programs that you're displaying are run by you and hence trusted anyway. By default, SSH subjects commands from the server to restrictions through the X11 SECURITY extension. The SECURITY extension disables some obvious attacks such as keyboard grabs and key injection, but allows others like focus stealing.

Let's say I open a SSH connection to someserver, with X11 forwarding enabled. The primary risk is that if someserver is malicious, then someserver can do all sorts of nasty stuff to the windows/applications I have open on my own computer.

For instance, someserver can open up windows on my computer, can close other windows I have open, can spy on the contents of other windows I have open, can spy on the keys I type into other windows, can inject spoofed keystrokes and mouse events into other windows I have open, and generally just mess with every other window I have open on my machine -- even if some of those other windows are local applications running locally.