September 20, 2011

Mac OS X Lion flaw allows illicit password changes

Due to security oversights in the design of Apple's latest operating system, an attacker can easily obtain users' encrypted passwords, and even change such credentials without authorization, a security researcher has warned.

The issue, uncovered Sunday by Patrick Dunstan of the information security blog Defence in Depth, involves the authentication scheme in Mac OS X 10.7 (Lion), which was released in July.

In Lion, as well as previous OS X versions, user passwords are encrypted and stored in so-called shadow files, which can only be viewed by users with root privileges, Dunstan said. While non-root users cannot access the shadow files, Lion allows any user – even those without administrator privileges – to obtain stored password hash data through an openly readable directory.

“It appears in the redesign of OS X Lion's authentication scheme, a critical step has been overlooked,” he wrote in a blog post. “Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.”

In 2009, Dunstan disclosed a similar method for cracking hashed passwords from systems running Mac OS X 10.6 (Snow Leopard) and earlier versions.

Beyond just extracting users' password hashes, attackers also would be able to change a password without authorization.

“Why crack hashes when you can just change the password directly!” Dunstan wrote. “It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user.”

As a result, an attacker with access to a logged-in Mac would be able to change a user's password without even knowing their existing login information, Chet Wisniewski, senior security adviser at anti-virus firm Sophos, said in a blog post Tuesday. Previous OS X versions required users to enter their existing password before being able to change it.

“If your Mac were left unlocked and someone changed your password, you would no longer be able to boot your computer and potentially would lose access to all of your data,” Wisniewski wrote.

Apple did not respond to a request for comment when contacted by SCMagazineUS.com on Tuesday.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.