We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,078 News Articles

Mac OS X Lion flaw could see hackers changing passwords

Password hash can be seen by non-privileged users

A flaw in Apple's Mac OS X Lion could allow hackers to change passwords, says security researchers.

According to the Defense in Depth the operating system stores password in Shadow files, which can only be accessed by a high-privilege user such as an administrator. However, unlike previous versions of Mac OS X, Lion gives non-privileged users the ability to view the pass hash. Hackers could then subsequently change the passwords themselves as the "Directory Services in Lion no longer requires authentication when requesting a password change for the current user".

"Due to Lion's relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes ," said Patrick Dunstan on the blog adding that hackers don't need to "crack hashes when you can just change the password directly!"

"Whilst the ability to change the currently active user's password is not a privilege escalation flaw per se, it can under some circumstances be used for these purposes."

According to Chester Wisniewski from ssecurity firm Sophos www.sophos.co.uk the flaw is particularly dangerous for those using Apple's new FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said on a blog.

Wisniewski advised those affected to disable automatic log-on and never leave a machine logged-in and unattended. Furthermore, Mac OS X Lion users should also use the Keychain lock to secure a screen and enable the screensaver, setting it to prompt users for a password.


IDG UK Sites

Swatch to release its own line of smartwatches to rival iWatch

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

Miranda July's Somebody app offers a very unusual take on messaging

IDG UK Sites

The 7 most ridiculous iPhone 6 rumours: what Apple WON'T reveal on 9 September