You'd think a lion would be pretty good at guarding stuff, but it seems that's not the case with Apple software. A security flaw has been uncovered in Mac OS X Lion that could allow a hacker to easily change your passwords.
Passwords are stored in files called shadow files, which requires you to type in your user password if you want to see or change anything. But Lion has a loophole that lets any user -- not just the admin -- see all the passwords. They can't see the shadow files directly, but they can change the passwords and get in that way.
Lion neglects to ask for authentication when someone changes a password, so all you have to do is type: "$ dscl localhost -passwd /Search/Users/bob" into Terminal, the Mac command line program, and Lion will roll over for you to tickle its belly and set your own password for Bob's user account. It even works for the computer's admins.
The loophole was spotted by Security blog Defense in Depth, which has also come up with a Python script to find someone else's password. Er, cheers for that.
Should you be worried? Not if you're the only user of your Mac. Miscreants can only take advantage of the bug -- calling it a hack is a bit strong -- if they have local access to the computer and Directory Service access. That means the only people who can mess with your stuff are people who've had accounts set up for them.
This is an issue for shared or public computers, but Apple is likely to be all over this like antelope on the veldt. Until it's fixed, it's a good reminder of basic security: disable automatic log-in, turn on passwords to wake your computer from sleep or screensaver, and turn off guest accounts.
Oh, and never leave your password Lion around.
Android App 
RSS Feeds 
iPhone App 
Newsletters 
Comments 9
Add your comment
anonymous 20 September, 2011 10:15
Looks like members of the SAS are actively hacking Mac OSX
anonymous 20 September, 2011 10:27
"Mac OS X Lion passwords can be changed by hackers" should be "Mac OS X Lion passwords can be changed by anyone"
anonymous 20 September, 2011 10:34
Oooooo im really scared - Mac OS X Lion Batteries can be changed by passers-by
anonymous 20 September, 2011 12:03
It's only a toy operating system anyway. What's the big deal? LOL
Peter Hudson 20 September, 2011 12:40
"disable automatic log-in, turn on passwords to wake your computer from sleep or screensaver, and turn off guest accounts." I do all that anyway, it's just common sense.
@Anonymous (1) - Anyone who has a knowledge of osx terminal commands and would access your computer. So Hackers then.
@ANonymous (2) - If only I had a £ for every time a passer by replaced the battery on my OS (do OS's even have batteries) without me noticing
@Anonymous (3) - Someday us apple users will get a grown up OS like Windows, I hear its completely 100% secure, I dont think I've ever heard of someone compromising a windows PC at any point in the past ever.
anonymous 20 September, 2011 12:55
@Peter Hudson
"@Anonymous (1) - Anyone who has a knowledge of osx terminal commands and would access your computer. So Hackers then." - anyone can use terminal
"@Anonymous (3) - Someday us apple users will get a grown up OS like Windows, I hear its completely 100% secure, I dont think I've ever heard of someone compromising a windows PC at any point in the past ever." - at least they can't change your passwords using simple commands with no authentication, anyway OS X is just a linux mod
billfred 20 September, 2011 16:23
and what is wrong with Linux?
anonymous 20 September, 2011 16:57
*******BREAKING NEWS********** Hackers can steal your OSX if you lose your MAC.
anonymous 20 September, 2011 20:26
@Peter Hudson
@Anonymous (1) - Anyone who has a knowledge of osx terminal commands and would access your computer. So Hackers then. ---- Fanboys love to overlook the details. There is a shellscript for it. Put in a memory stick. Click it. Job done. Really complex if you have the brain size of a kitten but peanuts to even the least computer illiterate person on the planet. Hell, its even simpler than most commands in OSX itself.
@Anonymous (3) - Someday us apple users will get a grown up OS like Windows, I hear its completely 100% secure, I dont think I've ever heard of someone compromising a windows PC at any point in the past ever. ---- Yeah, but I dont thnik I've ever heard of anyone compromising an OS this easily ever. I can teach 4 year olds to do this.