As a side note, a similar attack can be done with gksu/gksudo. It would be trivial to write a program that waits for gksudo to be run and then closed, and then run `gksudo -p -m "Sorry, incorrect password. Please try again:" > /tmp/func.txt`. The user would then enter his or her password again and the attacker would now have the administrative password.
Several steps could be taken to prevent such an attack:
1) Gksudo should ONLY be used for system passwords. There should be no '-p' option.
2) Gksudo should ALWAYS include the command being executed in the password dialog (even if in a small font).
3) X should have some countermeasure against spoofed authentication windows.