Flaw allows any OS X Lion system to be compromised with easy-to-perform password hack

“A researcher at the Defense in Depth blog has discovered a flaw in Apple’s recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user’s password,” Chester Wisniewski reports for Sophos.

“The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner,” Wisniewski reports. “An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required.”

“Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it,” Wisniewski reports. “This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available.”

Taking the following steps will help ensure you are protected:
• Use a secure password to prevent brute force attacks against your account using stolen hashes.
• Enable the screensaver and set it to prompt you for your password.
• Disable automatic logon.
• Never leave your Mac logged in and unattended. Use a “Hot Corner” or the Keychain lock to lock your screen.

Read more in the full article here.


    1. Well, you can if you remotely log in to the machine. But that would require such access to be enabled, and the hacker would have to know the current password to log in.

      I guess if you have remote access enabled, and log in remotely, and get up and leave the console while you’re logged in, it would be a problem. But how likely is that?


    2. Yes you are correct. It requires physical access (unless you have you machine specially configured to allow remote access via ssh)
      This is a typical “flaw in OSX security!!!!” non issue, as physical access (or a series of “special configurations” is required.)

  1. This has been pretty much shot down on the original Blog where it started… the poster was using an ADMINISTRATOR account to do the password changing, something an admin account is supposed to be able to do!

    Everyone who tried to change a password from a standard user account FAILED with the system requiring the user to input the user’s original password.

    And, yes, you could see the system hash files for the user passwords, but that does NOT mean a hacker can derive the passwords from the hash files. That is another problem completely.

    This is a tempest in a teapot. The guy who posted found the system was doing what it was DESIGNED to do and the confabulated the fact that an ADMINISTRATOR USER could change user passwords, something admins could do to administer accounts, and then incorrectly confabulated that fact to ALL user accounts. It ain’t happening… as the comments on Defence in Depth show.

  2. An exploit discovered in media competency has been discovered, allowing hacks to re-publicize their well disproven security flaws. The flaw requires a hack to be logged into soft headed journalists and idiotic bloggers.

  3. “Taking the following steps will help ensure you are protected: . . .”

    This 5 point list is actually as old as Mac OS 9, when Apple began providing ALL of these features.

    If you’re not already following the list by now, someone very ignorant taught you about computer security. It damned well wasn’t me! If you’d like some help, you might find my blog useful:

    Mac-Security Blog

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.