A security research firm claims to have discovered a serious flaw in Apple’s latest Mac OS X operating system which allows attackers to change your system password without any knowledge of its existing password. One researcher says that a change to Lion’s authentication system has somehow allowed non-root users to view password hash data.
Chester Wisnieski revealed in a post on the company’s Naked Security blog that Apple’s decision to use a local directory service in OS X Lion has left permissions insecure:
“An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required. Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder.”
“Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it. This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.”
Wisniewski said the flaw also allows attackers to change the passwords for other users, too.
Lion users will be hoping that Apple issues a fix for the security flaw imminently, but in the current OS X 10.7.2 beta, the flaw is still present, according to Wisniewski. It’s worth remembering, however, that in order for your Mac to be vulnerable, attackers must already have access to your system. As long as you can take precautions to prevent this, you shouldn’t face any problems.
Wisniewski recommends using a secure password to prevent brute force attacks, ensuring your Mac requires a password to open it from the screensaver, disabling automatic login, and using a ‘Hot Corner’ or Keychain lock to secure your screen.