A flaw in Mac OS X Lion allows hackers to reset passwords without knowing the existing one, thanks to insecure permissions.
Security blogger Patrick Dunstan first uncovered the problem. Passwords are stored in so-called shadow files, which can only be accessed with the right user password – except that Lion allows users to see all the passwords.
“Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services,” says Dunstan.
“It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use: $ dscl localhost -passwd /Search/Users/bob and voilà! You will be prompted to enter a new password without the need to authenticate.”
It’s only a problem for users who share their machine with others, as the flaw can only be exploited by someone who has local access to the computer and Directory Service access.
“This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption,” says Chester Wisniewski of security firm Sophos.
“If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.”
He says he’s been able to confirm with testers of the next version, OS X 10.7.2, that the flaw still exists in test builds. Presumably Apple’s working on an update.