People can easily change the password for a Mac OS X Lion user account without knowing the existing password, as long as they have local access to the Apple machine in question and their victim has not logged out, a security researcher has claimed.
According to Patrick Dunstan, the redesign of the authentication scheme in Lion, which was released in July, makes the OS X operating system much less secure than its predecessors. He said there are two major flaws in the OS's Directory Services: the ability for non-root users to view password hash data, and the fact that passwords can be changed by anyone who comes across an unlocked machine where the user has already logged in.
The first issue lies with the data stored in the 'shadow files' that each user has — these are databases of hash values, which are used to verify the integrity of security information.
As with earlier versions of OS X, those shadow files can only be viewed by users with root privileges, Dunstan wrote on Sunday. However, he said, the data in the files can be viewed elsewhere, without the need for root privileges. This makes cracking the security of a user account much easier.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," Dunstan wrote. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services."
Additionally, the researcher added, Apple's redesign of the operating system has removed the need for users to enter the old password when changing to a new password. As long as the user is logged in, someone else with access to their computer can change their password and shut them out.
"Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user," Dunstan wrote. "So, in order to change the password of the currently logged-in user, simply use $ dscl localhost -passwd /Search/Users/bob and voilà! You will be prompted to enter a new password without the need to authenticate."
In 2009, Dunstan also exposed a method for extracting and cracking OS X passwords in pre-Lion versions of the Mac operating system.
ZDNet UK has asked Apple to explain the apparent security flaws in Lion, but had received no reply at the time of writing.