OS X Lion fails to check passwords if authenticating via LDAP

If you use OS X Lion, there is a little bug that you should be aware of if you value your private data. A new bug has cropped up that if you login to OS X Lion using the LDAP (Lightweight Directory Access Protocol) method, the bug allows you to bypass any password to log in as long as you have a valid username.

The bug, discovered by h-online.com, has reportedly been verified by Apple. This new bug in Apple’s latest operating system shows that not even Apple is immune to imperfections on its OS. H-Online states:

A bug in the module for authenticating (Open)LDAP under Mac OS X 10.7.x Lion can result in any password being accepted during log-in – all that's required is a valid user name. The problem occurs when logging in both via a graphical interface on a client and over the web via SSH on a server. Lion does not use LDAP to log-in by default; LDAP authentication tends to be used in large infrastructures for centralised user administration (name, password, group, etc.).

With Apple aware of the bug, you would expect that they will be working diligently to patch the flaw. At this time, there have not been any reports of this exploit being used in the wild for malicious purposes.

For all the criticism that Microsoft receives over the exploits in its platform, it goes to show that security remains a ubiquitous problem on any software platform.

A security bug such as this represents a critical flaw that needs to be patched quickly. As the bug is now out in the wild, it will not be long before those with malicious intent will attempt to exploit this bug for personal gain.

[Update] d4v1d05 tipped us to let everyone know that this was originally discovered on a forum post over at MacRumors.

 
Report a problem with article
Previous Story

GameStop removing free OnLive Deus Ex 3 coupons

Next Story

Microsoft granted patents for Start Screen UI, "Sychronized Media Experience"

21 Comments - Add comment