Gloriously secure Apple seems to have made a bit of a pig's ear in tweaking Mac OS X 10.7. One such tweak makes it easy for attackers to reset passwords on a targeted machine without having to know the one set by the bona fide user.
Insecurity researcher Patrick Dunstan exposed the cock-up on his Defence in Depth blog. He says Apple's latest OS allows easy access to users' shadow files. The hashed passwords stored therein could be changed with a brute-forced hack.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," Dunstand writes. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services."
Having access to OS X 10.7 hashes might not be quite so bad, however, if it weren't for the fact that, rather than brute-force the hashes open, all you - as a nefarious hacker - need to do is change the password.
"Why crack hashes when you can just change the password directly!" Dunstand writes. "It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user.
"You will be prompted to enter a new password without the need to authenticate," he says
Insecurity outfit Sophos agrees with Dunstan's findings, labelling the flaw "particularly dangerous if you are using Apple's new FileVault 2 disk encryption".
"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data."