Mac OS X may have a sterling reputation for being virus-free, but that doesn’t mean there aren’t plenty of other ways for malicious types to invade your personal space. According to one security blog, one such vulnerability has turned up in the new OS X Lion which allows hackers to change your account passwords.
MacNN is reporting that a “serious security vulnerability” has turned up inside OS X Lion which allows hackers to alter the password of your user account -- and if you have more than one, to do the same on all of them. According to security blog Defence in Depth, the operating system “reportedly allows non-root users the ability to view password hash data,” which in turn means that hackers could in theory use a basic Python script to turn up the password itself.
“Aggravating the situation is that Lion doesn't require a password to change a current user's login,” MacNN explains. “Entering the command ‘dscl localhost -passwd /Search/Users/______,’ with the blank substituted by a person's account name, will therefore prompt for a new password. Keeping the threat under control at the moment is that an attacker needs local access to a Mac, as well as Directory Service access.”
Apple will likely plug this security hole in a future update, but for now the security blog suggests disabling automatic logins, turning on sleep/screen saver passwords and even shutting off guest accounts as a temporary remedy for the issue.
Follow this article’s author, J.R. Bookwalter on Twitter