“A researcher at the Defense in Depth blog has discovered a flaw in Apple’s recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user’s password,” Chester Wisniewski reports for Sophos.
“The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner,” Wisniewski reports. “An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required.”
“Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it,” Wisniewski reports. “This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available.”
Taking the following steps will help ensure you are protected:
• Use a secure password to prevent brute force attacks against your account using stolen hashes.
• Enable the screensaver and set it to prompt you for your password.
• Disable automatic logon.
• Never leave your Mac logged in and unattended. Use a “Hot Corner” or the Keychain lock to lock your screen.
Read more in the full article here.