Hi,
Typing this email now in thunderbird, and watching every single keystroke being logged from an open X terminal. 
How could I not known about this?
I've only ever played with xev but the application window must have a least some focus (sloppy for mouse, selected for keyboard).  Not only is xinput more useful than xev, but also more revealing to how vulnerable X can be to ones favorite and "trusted" X applications.

I came across this while browsing unanswered questions in unix.stackexchange.com.  (can't find it right now).

Surely this is not true;

"Any X window application can log all device inputs regardless of what X window application has focus"

But thats not all that is possible.  Anyhow I had to try it out for myself...

> apt-get install xinput

> xinput list

> xinput test <id of device>

Xinput logs absolutely everything, anywhere. Regardless.  Even an X application that opens as a different user (xauth).

Do I trust any and all of the x applications I run? Thanks for the software, but I don't sorry.  I'm not impressed by this at all and I'm ashamed I never new about it. I honestly thought there was some level of isolation, but there appears to be none.

http://theinvisiblethings.blogspot.com.au/2011/04/linux-security-circus-on-gui-isolation.html

A rather heavy alternative using xen virtualisation (apps run in different "zones")

http://qubes-os.org

Remember this has nothing to do with xauth or xhost. This is a feature of a single displayed instance of X. Login to your bank, paypal, su as root, whatever and hope xeyes isn't logging your keystokes or run xinput and watch it for yourself.

Something to think about.

Regards,
Julian.