Apple usually does a commendable job patching the Mac’s security flaws in a rapid order as they arise. Numerous holes have been plugged, bugs squashed and exploits fixed as they are discovered over the years. And just when you thought Lion couldn’t be drastically compromised, arrives a new exploit based on Apple’s old Achille’s heel: The permissions system in OS X.
CNET warns that any local user on a Lion machine can quite easily change passwords of any other local account, without admin privileges – how spooky is that? Not very good for shared machines certainly. Kudos for discovering this nasty design omission go to the security blog Defence in Depth, which explains that Lion’s Directory Services no longer requires authentication when requesting a password change for the current user:
It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.
Technically-minded folks can find out more in the Defence in Depth’s article, including a step-by-step proof of concept that you can try on your machine. It works, we’ve tried. Now that Apple is alerted and aware of the situation, here’s to hoping that 10.7.2 or one of future updates resolves this potentially dangerous flaw. The sooner, the better for everyone.