Security researcher Patrick Dunstan has released his findings on Apple’s latest operating system OS 10.7, aka Lion, and it doesn’t look good. He found that if provided with physical access, a nefarious person could recover administrator passwords, or even change those passwords, without any special privileges.
Here’s how password security is supposed to work on a Mac: Passwords are stored in “shadow files” which are buried deep in the system’s file structure, and only accessible by someone logged in with an administrator password. Dunstan’s research has shown, however, that in the new version of the operating system, these files can be accessed by any user and passwords extracted. More troubling is his discovery that, with a little prodding, someone with access to the computer’s Terminal command line app can change the administrator’s password themselves.
According to CNET, this last and most troubling security oversight can be executed thusly:
In addition to being able to extract the password hashes for a user, any user can also directly change another user’s password, including those of system admins, merely by supplying the following command in the Terminal (substituting USERNAME for the short name of the target account):
dscl localhost -passwd /Search/Users/USERNAME
When run, this command will appear to give an error, but if you enter the same new password at all prompts then the target account’s password will be changed.
If an intruder was able to forcibly change the administrator password in this manner, he or she would then be able to log in with full admin privileges and be able to do just about anything to the computer.
There’s some obvious limitations to this security issue. First and foremost, any would-be hacker would need physical access to your computer. Keeping it in sight, turning off automatic login, and setting a password to wake from screen saver/sleep is a good precautionary step. However, simply having a guest account available on the computer could, in this case, allow an intruder access.
Hopefully, this issue will be addressed in future security updates from Apple. Until then, keep your friends close and your MacBook Pros closer.