// Home / News / Security

Mac OS X flaw allows dodgy password resets

By Nicole Kobie

Posted on 20 Sep 2011 at 09:51

A flaw in Mac OS X 10.7 could let attackers reset passwords without knowing the existing one.

A researcher writing on the Defence in Depth blog revealed a pair of permissions problems in the latest Apple OS.

First, the system gives easy access to users' shadow files - files that can only be accessed by those with a high-privilege level. Those hold hashed passwords, which can be brute-forced for access.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked

"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," researcher Patrick Dunstand said. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services."

While Dunstan said major cracking tools don't yet support OS X 10.7 hashes, you don't actually need to crack them - thanks to the second permission problem, you can simply change the password.

"Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user," he wrote.

"You will be prompted to enter a new password without the need to authenticate," Dunstan wrote.

Dangerous flaw

According to Sophos' Chester Wisniewski, the flaw is "particularly dangerous" for anyone using Apple's FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said in a blog post.

Wisniewski has checked with people testing OS X 10.7.2, and said the flaw still exists in test builds.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

User comments

All quiet on the SwissMac front..

He'll probably find some way to blame Microsoft or Samsung again. But if only Apple copied Microsoft and Sammy slavishly and built their products with some modicum of security!
:)

How refreshing that this information hasn’t been released by someone simply trying to cause a bit of panic in order to flog an anti-virus package (Android and Windows anyone?)

By TheHonestTruth on 20 Sep 2011

Old news, LDAP only affected

Strictly speaking this only affects people using LDAP. Ordinary users not using LDAP are not affected, apparently. This news was old two weeks ago and was fixed in the 10.7.1 update release of Lion downloaded by most ordinary users as soon as it came a week or so ago..

However, anyone getting Lion at the moment is not making a good decision - in its launch configuration it's not a very good OS and apart from being rock solid underneath because of its UNIX underpinnings, it's a bit like Vista from what I've read. There are lots of very unhappy Mac users downgrading to Snow Leopard at the moment which is a very neat OS. Not so many bells and whistles, but it works fine.

Looks like both Apple and Microsoft have fallen foul of trying to make a desktop OS more like a tablet OS. IT DOESN"T WORK, DUMMIES!!!

By SwissMac on 20 Sep 2011

Wrong again, SwissMac

Did you not read the story?

"testing OS X 10.7.2, and said the flaw still exists"

It's a different flaw this time.

By greemble on 20 Sep 2011

Lion's fine actually

There are some tablet-esque features in Lion, but you are free to ignore them without any loss of functionality. A couple of months on, I am used to it and have had no thoughts of switching back to Snow Leopard, which was actually very buggy when it was first launched.

By SirRoderickSpode on 20 Sep 2011

Although obviously the security hole is not good news! :-o

By SirRoderickSpode on 20 Sep 2011

Thanks greemble...

... but they're still dummies for incorporating so much from iOS (a perfectly good OS on its own) into OS X (a perfectly good OS in its Snow Leopard form).

Nobody wants Full Screen apps, at least, not with todays widescreen monitors. Also, many people need Rosetta to run older apps such as Eudora, AppleWorks, Office 2000/3/7 and hundreds of other apps.

If I do upgrade it'll only be after the .4 version is released, if not the .5.

By SwissMac on 20 Sep 2011

@SwissMac

Full screen apps are actually quite useful. Though as I've said before, on a large hi-res screen it's overkill. But on small screen computers such as the MacBook Airs (11 and 13in) full screen applications can be very useful.

I've found the full screen apps to be very helpful at times on my 13in MacBook.

Hopefully this security flaw gets patched soon.

By hjlupton on 20 Sep 2011

Who only uses one app at a time?

When I work on my iMac the 24" screen is wide enough to show 2 A4 pages side by side - or one work window and a few research windows where content or other data is displayed. If I'm writing, I need to see all of them in one go, not one at a time.

Reading emails in full screen is pretty impossible, in fact, any text editor that doesn't soft wrap means the text is hard to read as it is not broken down into short lines. Coding may be the only thing that benefits from long lines.

But like so many Lion features, it's appeal is very limited.

By SwissMac on 21 Sep 2011

I'm with SwissMac

The Full Screen modes of W8 and Lion don't make sense on a "real" computer.

I also have several reference windows visible all the time.

On a tablet or netbook, it makes sense, but throw it on a dual-head 24" or 27" set-up and it doesn't make any sense at all.

By big_D on 21 Sep 2011

You don't have to use apps in fullscreen

Why are people moaning about fullscreen in OSX? Lion doesn't force you to use apps in fullscreen, it's a feature that's there if you want it and it happens to be a bonus when using a laptop.
Personally I think that not using apps in fullscreen is a bit odd, but it's horses for courses and certainly not something to complain about.

By Gareth_Rees on 22 Sep 2011

You don't have to use apps in fullscreen

By Gareth_Rees on 22 Sep 2011

Lion has been trouble for us

I have been an avid Apple fan for 3.5 years with an iMac 24" and a MacBook Pro. Since upgrading to Lion everything takes a few more clicks and many more minutes longer. A good OS should have fewer clicks to what you need to do. Lion for us has been a complete disaster. On BOTH our machines you can now go and make a cup of tea whilst MAIL boots up. Mail will not work with lion in any kind of efficient fashion. As a result we went out and bought a new Sony Vaio running Windows 7 Ultimate. A comment above says it all: We don't need desktop OS looking like Tablets etc. Apple have lost the plot and I am disgusted. I have sent in at least 10 problem areas to Apple and PC Pro Mag. What both have done with the list I don't know, but our productivity is now very low since Lion.

By jrk777 on 22 Sep 2011