We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Mac OS X Lion flaw could see hackers changing passwords

Password hash can be seen by non-privileged users

A flaw in Apple's Mac OS X Lion could allow hackers to change passwords, says security researchers.

According to the Defense in Depth the operating system stores password in Shadow files, which can only be accessed by a high-privilege user such as an administrator. However, unlike previous versions of Mac OS X, Lion gives non-privileged users the ability to view the pass hash. Hackers could then subsequently change the passwords themselves as the "Directory Services in Lion no longer requires authentication when requesting a password change for the current user".

"Due to Lion's relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes ," said Patrick Dunstan on the blog adding that hackers don't need to "crack hashes when you can just change the password directly!"

"Whilst the ability to change the currently active user's password is not a privilege escalation flaw per se, it can under some circumstances be used for these purposes."

According to Chester Wisniewski from ssecurity firm Sophos www.sophos.co.uk the flaw is particularly dangerous for those using Apple's new FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said on a blog.

Wisniewski advised those affected to disable automatic log-on and never leave a machine logged-in and unattended. Furthermore, Mac OS X Lion users should also use the Keychain lock to secure a screen and enable the screensaver, setting it to prompt users for a password.


IDG UK Sites

Sony Xperia Z3 Compact review: A better deal than the Z3 and most smartphones

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Framestore recreates ancient China for Mr Bean's martial arts misadventure

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests and more