We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Mac OS X Lion flaw could see hackers changing passwords

Password hash can be seen by non-privileged users

A flaw in Apple's Mac OS X Lion could allow hackers to change passwords, says security researchers.

According to the Defense in Depth the operating system stores password in Shadow files, which can only be accessed by a high-privilege user such as an administrator. However, unlike previous versions of Mac OS X, Lion gives non-privileged users the ability to view the pass hash. Hackers could then subsequently change the passwords themselves as the "Directory Services in Lion no longer requires authentication when requesting a password change for the current user".

"Due to Lion's relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes ," said Patrick Dunstan on the blog adding that hackers don't need to "crack hashes when you can just change the password directly!"

"Whilst the ability to change the currently active user's password is not a privilege escalation flaw per se, it can under some circumstances be used for these purposes."

According to Chester Wisniewski from ssecurity firm Sophos www.sophos.co.uk the flaw is particularly dangerous for those using Apple's new FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said on a blog.

Wisniewski advised those affected to disable automatic log-on and never leave a machine logged-in and unattended. Furthermore, Mac OS X Lion users should also use the Keychain lock to secure a screen and enable the screensaver, setting it to prompt users for a password.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia