OS X Lion fails to check passwords if authenticating via LDAP

If you use OS X Lion, there is a little bug that you should be aware of if you value your private data. A new bug has cropped up that if you login to OS X Lion using the LDAP (Lightweight Directory Access Protocol) method, the bug allows you to bypass any password to log in as long as you have a valid username.

The bug, discovered by h-online.com, has reportedly been verified by Apple. This new bug in Apple’s latest operating system shows that not even Apple is immune to imperfections on its OS. H-Online states:

A bug in the module for authenticating (Open)LDAP under Mac OS X 10.7.x Lion can result in any password being accepted during log-in – all that's required is a valid user name. The problem occurs when logging in both via a graphical interface on a client and over the web via SSH on a server. Lion does not use LDAP to log-in by default; LDAP authentication tends to be used in large infrastructures for centralised user administration (name, password, group, etc.).

With Apple aware of the bug, you would expect that they will be working diligently to patch the flaw. At this time, there have not been any reports of this exploit being used in the wild for malicious purposes.

For all the criticism that Microsoft receives over the exploits in its platform, it goes to show that security remains a ubiquitous problem on any software platform.

A security bug such as this represents a critical flaw that needs to be patched quickly. As the bug is now out in the wild, it will not be long before those with malicious intent will attempt to exploit this bug for personal gain.

[Update] d4v1d05 tipped us to let everyone know that this was originally discovered on a forum post over at MacRumors.

 
Report a problem with article
Previous Story

GameStop removing free OnLive Deus Ex 3 coupons

Next Story

Microsoft granted patents for Start Screen UI, "Sychronized Media Experience"

21 Comments

Commenting is disabled on this article.

I consider the single user mode "reset password" a much larger bug (even if it can be disabled, it is enabled by default)

What the hell does that mean, "over the web via SSH"? SSH over HTTP? SSH on port 80? Who does that? Mac OS X accepts SSH on the standard port 22 over standard networking, not "the web", and no "server" required.

I could understand this bug more if it were only blank passwords that were the problem (treating it as a anonymous bind), but any password. There must be zero authentication checks happening. How on earth did that get past quality control testing.

Good writing, but why some authors here make comments like this: "This new bug in Apple's latest operating system shows that NOT EVEN Apple is immune to imperfections on its OS.

ajua said,
Good writing, but why some authors here make comments like this: "This new bug in Apple's latest operating system shows that NOT EVEN Apple is immune to imperfections on its OS.

Um... to imply that MacOS is the most secure OS? Allegedly...

But I thought Lion's security was "Windows 7, plus, plus"

You know, because they added security features to Lion that Windows Vista had almost 5 years ago.

Enron said,
But I thought Lion's security was "Windows 7, plus, plus"

You know, because they added security features to Lion that Windows Vista had almost 5 years ago.

Enron, my favourite Microsoft Fanboy.

And theres reason Apple are a consumer, not a corporate supplier.

If this was a Windows 'bug' this would a really serious issue and you can imagine the headlines.

I don't hate apple, but in the serious corporate world they are nothing other than a niche provider.

In the real world we don't want it to 'just work' we want it to actually work.

grunger106 said,
And theres reason Apple are a consumer, not a corporate supplier.

If this was a Windows 'bug' this would a really serious issue and you can imagine the headlines.

I don't hate apple, but in the serious corporate world they are nothing other than a niche provider.

In the real world we don't want it to 'just work' we want it to actually work.

They are trying to sell to school with educational deals and such.. so its pretty bad

grunger106 said,
And theres reason Apple are a consumer, not a corporate supplier.

If this was a Windows 'bug' this would a really serious issue and you can imagine the headlines.

I don't hate apple, but in the serious corporate world they are nothing other than a niche provider.

In the real world we don't want it to 'just work' we want it to actually work.

In all fairness windows share is a lot larger than mac's share, therefore the bug would have more of an impact.
Not that it makes it okay, as it's not!

Ouch that's a major bug. LDAP is very commonly used across companies as the 'standard' to login when using Windows Server. I believe our company would almost implode with rage if the same issue occurred on our Windows platform.

imachip said,
Ouch that's a major bug. LDAP is very commonly used across companies as the 'standard' to login when using Windows Server. I believe our company would almost implode with rage if the same issue occurred on our Windows platform.

Interesting enough I had a look over at OpenLDAP.org (which is what the server version uses with Mac OS X) and it doesn't appear to be a bug in the LDAP server itself but something that Apple themselves have done

Hardcore Til I Die said,
It just works (tm) .. you don't even need a password to log in. It's so simple, a revolutionary new way to log in.
Amazing!

LDAP isn't enabled by default on Lion though right? It has to be enabled before this exploit is possible....

k776 said,
LDAP isn't enabled by default on Lion though right? It has to be enabled before this exploit is possible....
LDAP would be used in any corporate or educational environment where a Mac is used alongside Windows, including governments, schools, etc etc.
Basically the places you'd want a password to work the most.

FYI, LDAP is the authentication protocol that allows external applications (such as Gmail sync for enterprise) to access domain credentials in a secure fashion without decrypting passwords.