Great. Trivial hack gives any Lion user admin access

Summary:A security blog has posted a relatively simple way to crack Lion passwords - even from non-admin accounts.

Just when you thought it was safe to go on the prowl with Lion, it turns out that it could actually turn against you and m... ok, enough with the Lion metaphors.

There's a new, and potentially nasty vulnerability in Apple's Mac OS X Lion -- the company's exclusively-Internet-distributed major OS upgrade. It turns out the Apple should have probably put a few more QA engineers on the product.

Sunday night security blog "Defence in Depth" wrote that it's trivial to crack Lion passwords -- even from non-admin accounts.

In late 2009, the security blog "Defence in Depth" covered a method for cracking OS X passwords where users could extract the password hash for other users on the system; however, doing this ultimately required admin privileges. The post outlined that technically on systems prior to OS X 10.7 that user passwords could be extracted, but this ultimately could only be done by people with administrative passwords. Recently the blog outlined the new findings in Lion, where this can now be done by nonadmin users.

Tip of the hat to Topher Kessler (one of my countrymen at CNET) for uncovering this new Lion threat.

Apple, you're on the clock.

Topics: Apple, Operating Systems, Security, Software

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.