Mac OS X Lion Password Flaw Lets Hackers Make Changes With Ease

09/20/2011 09:31 am ET | Updated Nov 20, 2011
  • Jason Gilbert The Huffington Post

If you were one of the millions to download Mac OS X Lion, your system password might not be as safe as it should be.

According to the information security blog Defence in Depth, a major oversight in Lion allows any user on your machine (not just the administrator) to easily access and change your password. In Lion (and on all Mac OS's) passwords are kept encrypted in "shadow files," which are located in folders that should only be accessible by the administrator. Because of a security flaw in Lion, however, these files can be accessed by any user on the machine. The user can then extract the encoded password, run it through a fairly easy-to-find hacking program and decode the password, all according to Defence in Depth.

Perhaps even more dangerous is the discovery that any user can change the system administrator's password without any programs at all. The user (again, not the administrator, just any user who is physically using the machine) can enter a simple command into the Terminal app, which allows that user to successfully change the administrator's password. For a full explanation of how this works and the actual command line prompt, visit CNet's coverage of the security flaw; for a technical proof of the flaw, visit Defence in Depth.

CNet has offered 4 steps that the system administrator should take to avoid having their password stolen or changed by a visiting user. These are very important for those of you who share your computer with co-workers, strangers or anyone you have reason not to trust for any reason (I won't ask...). In short, you should require a password whenever you start up your machine or come back from screensaver or sleep mode, disable guest account access on your machine and head over to Parental Controls to set up account management, thereby disallowing administrator status for non-administrator users who are on your machine. Just, always require a password to gain access to your system, especially as the administrator.

Though the most high profile, this is not the first Lion password security flap: In late August it was revealed that systems using LDAP authentication (popular in the Enterprise) had a flaw which allowed any user on the machine to attain administrator status using any password at all.

This flaw shouldn't last long, however. A major security weakness found in Apple's mobile software in July was patched within nine days. Hopefully Apple will roll out a software update for Lion to patch this new bug, too.