1. Mediaite
  2. Gossip Cop
  3. Geekosystem
  4. Styleite
  5. SportsGrid
  6. The Mary Sue
  7. The Jane Dough
  8. The Braiser
Uh-oh

Hackers Can Reveal, Change Passwords in OS X Lion

by Max Eddy | 10:16 am, September 20th, 2011

Security researcher Patrick Dunstan has released his findings on Apple’s latest operating system OS 10.7, aka Lion, and it doesn’t look good. He found that if provided with physical access, a nefarious person could recover administrator passwords, or even change those passwords, without any special privileges.

Here’s how password security is supposed to work on a Mac: Passwords are stored in “shadow files” which are buried deep in the system’s file structure, and only accessible by someone logged in with an administrator password. Dunstan’s research has shown, however, that in the new version of the operating system, these files can be accessed by any user and passwords extracted. More troubling is his discovery that, with a little prodding, someone with access to the computer’s Terminal command line app can change the administrator’s password themselves.

According to CNET, this last and most troubling security oversight can be executed thusly:

In addition to being able to extract the password hashes for a user, any user can also directly change another user’s password, including those of system admins, merely by supplying the following command in the Terminal (substituting USERNAME for the short name of the target account):

dscl localhost -passwd /Search/Users/USERNAME

When run, this command will appear to give an error, but if you enter the same new password at all prompts then the target account’s password will be changed.

If an intruder was able to forcibly change the administrator password in this manner, he or she would then be able to log in with full admin privileges and be able to do just about anything to the computer.

There’s some obvious limitations to this security issue. First and foremost, any would-be hacker would need physical access to your computer. Keeping it in sight, turning off automatic login, and setting a password to wake from screen saver/sleep is a good precautionary step. However, simply having a guest account available on the computer could, in this case, allow an intruder access.

Hopefully, this issue will be addressed in future security updates from Apple. Until then, keep your friends close and your MacBook Pros closer.

(Defence in Depth via CNet, original image via Elke Sisco)

  • http://www.facebook.com/race.vanderdecken Race Vanderdecken

    So a bad person has to have your computer and an account on the computer to access the administrator account.

    So can they steal my car if I give them the key? 

  • http://twitter.com/DaSpadeR John Spade

    More like leaving the keys in the door. Most users don’t put passwords on their consoles, plus it shouldn’t be too hard to script a more automatic exploit.

  • http://www.facebook.com/profile.php?id=1768171933 Naphatr Bootsobha

    so you mean that they need user account to hack right? and they cant hack without access to user account


Abrams Media Network click here for advertising opportunities

© 2012 Geekosystem, LLC | About Us | Advertise | Newsletter | Jobs | Privacy | User Agreement | Disclaimer | Power Grid FAQ | Contact | Archives | RSS RSS
Dan Abrams, Founder | Power Grid by Sound Strategies | Hosting by Datagram