Great. Trivial hack gives any Lion user admin access

A security blog has posted a relatively simple way to crack Lion passwords - even from non-admin accounts.

Just when you thought it was safe to go on the prowl with Lion, it turns out that it could actually turn against you and m... ok, enough with the Lion metaphors.

There's a new, and potentially nasty vulnerability in Apple's Mac OS X Lion -- the company's exclusively-Internet-distributed major OS upgrade. It turns out the Apple should have probably put a few more QA engineers on the product.

Sunday night security blog "Defence in Depth" wrote that it's trivial to crack Lion passwords -- even from non-admin accounts.

In late 2009, the security blog "Defence in Depth" covered a method for cracking OS X passwords where users could extract the password hash for other users on the system; however, doing this ultimately required admin privileges. The post outlined that technically on systems prior to OS X 10.7 that user passwords could be extracted, but this ultimately could only be done by people with administrative passwords. Recently the blog outlined the new findings in Lion, where this can now be done by nonadmin users.

Tip of the hat to Topher Kessler (one of my countrymen at CNET) for uncovering this new Lion threat.

Apple, you're on the clock.