Password security flaws in Mac OS X Lion exposed

Two new security flaws have been discovered in Mac OS X Lion. Both of these flaws come from changes made to the operating system since Snow Leopard.

Patrick Dunstan, a security blogger, posted the details of his findings on his blog (via The Register). Dunstan first raised issues regarding Mac OS X's password security back in 2009, describing the process used to extract and crack OS X passwords.

The first flaw is the ability for any user on a system, regardless of privileges, to access the password hashes of any user. Previously, only the root account in OS X had access to the shadow file, which is used by the operating system to store password hashes. In Lion, that has changed:

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

This ShadowHashData attribute actually contains the same hash stored in user bob's shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user's profile.

The next issue lies with the ability to change a user's password when they're logged on, without requiring the user's old password for authentication. This differs from Windows and Linux's 'passwd' utility, both of which do require user authentication before a password change:

It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

 $ dscl localhost -passwd /Search/Users/bob

 And voilà! You will be prompted to enter a new password without the need to authenticate.

This report comes a month after a bug was exposed in Lion, allowing for users to log on via LDAP using a valid username and any password.

Report a problem with article
Previous Story

Windows 8: How to change Metro background on x86

Next Story

Windows Phone manager resigns after leaking Nokia information

37 Comments

Commenting is disabled on this article.

all sorts of people going on about it being a physical access flaw, its not. Mac defender was a big hit as far as mac malware went and it wouldn't take much for a piece of malware to copy the shadow data remotely. With regards to passwords, what about remote desktop apps? if someone RDP's into your PC you are screwed.

Auzeras said,
all sorts of people going on about it being a physical access flaw, its not. Mac defender was a big hit as far as mac malware went and it wouldn't take much for a piece of malware to copy the shadow data remotely. With regards to passwords, what about remote desktop apps? if someone RDP's into your PC you are screwed.

Mac defender is verry easy to remove btw. It was a big hit because people dont read anymore, they have trained to blindly click stuff and not read what it is. I see tons of people that have no idea how they got tons of toolbars. Its because they didnt read the install process and agreed to install it.

I agree with the people being able to get the file via RDP, but if they had remote desktop control, im thinking they would already be authenticated before hand

virtorio said,
An oversight for sure, but for most users this won't be a problem until an update is released.

Ya it is an unfortunate oversight, but it also demonstrates Apple doesn't run the same level of security testing or address security the same way Microsoft does.

Windows would have failed on a test server at Microsoft for a flaw like this. Especially one that offers the User's hash as a visible property. It is almost like Apple needs some security advice, and maybe a few developers that understand 'object' programming better and why not to expose secure information by a public property of an object.

Sadly, there are a lot of issues in Lion that should have been caught if they had a better testing system in-place. It's not just security, but I think their whole development/testing process could do with some "modernising".

virtorio said,
Sadly, there are a lot of issues in Lion that should have been caught if they had a better testing system in-place. It's not just security, but I think their whole development/testing process could do with some "modernising".

Apple needs to step back like Microsoft did...

When Microsoft did a company wide 'reboot' back in 2002 to address security and issues with XP and Win2K Server, they put in place some smart automation and testing tools, that have grown over the years.

The security hits Microsoft took 'after' moving to Windows NT, was a shock to Microsoft, as the NT security model had done well prior to this, but was circumvented for compatibility, thus not being used as it was designed. This added to a new generation of exploit concepts that were new to everyone, not just Microsoft hit XP hard prior to SP2.

As a beta tester going back to the original NT project, there has been a noticeable shift in what 'beta testers' do today. Instead of looking for 'general' flaws and bugs, the focus is on various software and hardware combinations that draw out a flaw.

The majority of 'bugs' and 'glitches' are already known by the time the beta is dropped to testers, as they are identified in the Microsoft test center already, and often fixed in newer builds already.

And this is rather impressive considering the complexity and feature set of Windows 7 compared to an earlier version of NT.

Today Microsoft has a good handle on both security and stability, as the concepts go together with how coding is approached.

Windows 7 itself is solid, but also has the whole compatibility and compensation system that detects bugs in realtime by 3rd parties, and corrects them on the fly. Which also helps security, as it keeps applications from failing and exposing the system to an exploit.

Seeing a crash on Windows 7 in just an application is rare. Sadly far more rare than seeing a crash on Android, iOS, and competing OSes like OS X and Linux. OS X users still have the 'magic restarts' and Android users know the Initialization 'FC' all too well.

Not exactly ideal behavior, but since I leave my computer locked when I'm not at it and I'm using FileVault encryption, I'm not too worried about it.

It's honestly not that different from booting a Windows 7 recovery disc and nuking passwords.

Elliott said,
Not exactly ideal behavior, but since I leave my computer locked when I'm not at it and I'm using FileVault encryption, I'm not too worried about it.

It's honestly not that different from booting a Windows 7 recovery disc and nuking passwords.

Really? Cause on a PC, I can restrict you from booting a DVD easily.

There is no circumvention method for these flaws.

Elliott said,
Not exactly ideal behavior, but since I leave my computer locked when I'm not at it and I'm using FileVault encryption, I'm not too worried about it.

It's honestly not that different from booting a Windows 7 recovery disc and nuking passwords.


This IS different!
Read carefull. This is not about physical access. This is user priviledge escalation. In Windows you cannot view hashes of passwords of other users unless you are administrator (with additional privileges) or have physical access.

thenetavenger said,

Really? Cause on a PC, I can restrict you from booting a DVD easily.
There is no circumvention method for these flaws.

Can restrict booting any computer from a disk, but i can also take the HDD out of same computer and run Trinity/startup from another, there goes your password. No physical computer is secure, personally i would have gone the easy way and and reset it with the OSX startup disk compared to this method as its easially done from there regardless, doesnt even have to be in the origional computer, same for windows, no computer is secure regardless of the OS

RealFduch said,

Read carefull. This is not about physical access. This is user priviledge escalation. In Windows you cannot view hashes of passwords of other users unless you are administrator (with additional privileges) or have physical access.

Forgot and cant edit,,,
This IS about physical access
All Users On The System

yowan said,
And some argued that OS X was a secure platform

People have said stupid things for years. They saw Apple throw around BSD, and they all thought it would 'magically' inherent the security and secure history of OpenBSD.

OS X is using BSD, just like Windows uses the BSD api in its Unix subsystem (SUA). BSD has no magical security or powers. OpenBSD was secure because of the work put into the entire OS, not just the kernel API interface (BSD).

1st flaw - You need to have a user setup on your Mac that you do not trust.
2nd flaw - You need to have your Mac logged in as you, and unattended.

1st solution - Don't add user accounts for people you do not trust.
2nd solution - Set the screen saver/turn off display timer to something low and have it require a password to unlock the Mac.

These security flaws should be addressed, however they really don't affect me and I doubt they will affect most Mac users.

If your Mac gets stolen, then someone who really wants to break in and steal your data can. You should really move sensitive items into some encrypted form. I used Disk Utility to make an encrypted disk image that I use to store sensitive information. Easy to mount-dismount with password.

Is this really THAT different from Linux or Windows security? Once the physical system has been compromised, then that is basically it.

Shadrack said,
1st flaw - You need to have a user setup on your Mac that you do not trust.
2nd flaw - You need to have your Mac logged in as you, and unattended.

1st solution - Don't add user accounts for people you do not trust.
2nd solution - Set the screen saver/turn off display timer to something low and have it require a password to unlock the Mac.

These security flaws should be addressed, however they really don't affect me and I doubt they will affect most Mac users.

If your Mac gets stolen, then someone who really wants to break in and steal your data can. You should really move sensitive items into some encrypted form. I used Disk Utility to make an encrypted disk image that I use to store sensitive information. Easy to mount-dismount with password.

Is this really THAT different from Linux or Windows security? Once the physical system has been compromised, then that is basically it.

One flaw with your reasoning: kids

Note that your password hash isn't going to do much good anyway. You'll need to do a lot of bruteforce cracking before you'll get the actual password.

Shadrack said,

If you don't trust your kids, then you have bigger issues than this...

Trust and ignorance are two different things.

Shadrack said,

If you don't trust your kids, then you have bigger issues than this...

I would trust my kids to break any lockouts I have on a system in order for them to get whatever they want

That is to say if I had any kids

/Anything less is unsatisfactory

You can talk for yourself. I personally don't like knowing there is such a known security hole on the OS.So far I haven't had problems after updating to lion but this is certainly not good news.

I'm hoping they'll fix this soon though.

Shadrack said,
1st flaw - You need to have a user setup on your Mac that you do not trust.
2nd flaw - You need to have your Mac logged in as you, and unattended.

1st solution - Don't add user accounts for people you do not trust.
2nd solution - Set the screen saver/turn off display timer to something low and have it require a password to unlock the Mac.

These security flaws should be addressed, however they really don't affect me and I doubt they will affect most Mac users.

If your Mac gets stolen, then someone who really wants to break in and steal your data can. You should really move sensitive items into some encrypted form. I used Disk Utility to make an encrypted disk image that I use to store sensitive information. Easy to mount-dismount with password.

Is this really THAT different from Linux or Windows security? Once the physical system has been compromised, then that is basically it.

We should not blame Apple or call a security flaw because everyone should trust their friends and children more and YOU think it is like Linux and Windows.

Wow, really?

In order to shift the blame from Mac and Apple, you want people to blame their friends and kids?

This is so stupid, I bet Steve Jobs would probably smack you upside the head.


1) This is why OS X is not good in public or business environments. (If you can't have multiple users because they can rip off the other user's passwords, it is worthless.) This is on par with Win9x security, and it HAD NONE.

2) As for being like Linux and Windows, NO! There are solutions for the ways to circumvent overwriting security on Windows. I can restrict the users from booting from a DVD/USB drive, then there is NO way they can use a recovery boot image to gain access to the system.

I can also use folder/file encryption via NTFS or BitLocker (Volume Level) that would keep even the FBI out of the files, let alone some 'user' wanting to steal other people's passwords.


This is why companies DO use Windows in as security is important to most corporations, and this is another reason why OS X and Apple doesn't take security seriously, and never have....
This is NOT like Windows. This is another good example of why OS X in a multi-person or business environment sucks.

Shadrack said,

Is this really THAT different from Linux or Windows security? Once the physical system has been compromised, then that is basically it.

Read carefull. This is not about physical access. This is user priviledge escalation. In Windows you cannot view hashes of passwords of other users unless you are administrator (with additional privileges) or have physical access.

Example situation: Neowin comments section is publicly accessable. But if any registered user would find way to make himself moderator, that would be flaw. Privelege escalation flaw.

I wonder why all screenshots anyone does of Lion are of Mission Control? It's not like you spend more than 2 seconds at a time in that view.

Dessimat0r said,
I wonder why all screenshots anyone does of Lion are of Mission Control? It's not like you spend more than 2 seconds at a time in that view.

Because it represents Lion quite well (just like Launchpad would, but the focus might shift to the Application icons instead of the interface itself).
It's pretty much a radical change over Snowey's and below Exposé (which I still think has the sexier name! )

GS:mac

xpxp2002 said,
There is no flaw. Windows and Linux are difficult to use because their authentication isn't so easily circumvented.
lol'd

Well I never really understood the whole password thing. I can understand encryption, but not the password. On a windows PC if a bad guy has access to the computer they can nuke the password in a matter of seconds after booting off a password recovery disc.

warwagon said,
Well I never really understood the whole password thing. I can understand encryption, but not the password. On a windows PC if a bad guy has access to the computer they can nuke the password in a matter of seconds after booting off a password recovery disc.

And in Linux, unless you have locked down the bootloader, I can get in and alter passwords without a recovery disc. If you have locked down the bootloader, then I just need any bootable linux disk

I hope that MS makes Bitlocker standard in Windows 8

warwagon said,
Well I never really understood the whole password thing. I can understand encryption, but not the password. On a windows PC if a bad guy has access to the computer they can nuke the password in a matter of seconds after booting off a password recovery disc.

The point is that this is such a high-level (easy) flaw that almost anyone can do it without much time or tools. I can do it to any Mac left logged on in a matter of seconds, whereas in the Windows/Linux situation, you need to reboot, put the boot disk in, etc.

Sraf said,
I hope that MS makes Bitlocker standard in Windows 8

BitLocker has a performance overhead. 99% of people don't need BitLocker.

Aethec said,

BitLocker has a performance overhead. 99% of people don't need BitLocker.

And you are correct, but the option would be nice to have. I wouldn't use it on my primary drive, but I to have a lower use media drive I would like to use it on

warwagon said,
Well I never really understood the whole password thing. I can understand encryption, but not the password. On a windows PC if a bad guy has access to the computer they can nuke the password in a matter of seconds after booting off a password recovery disc.

you can do the exact same thing with OSX. boot into single user mode and the computer is more or less yours.

warwagon said,
On a windows PC if a bad guy has access to the computer they can nuke the password in a matter of seconds after booting off a password recovery disc.

Read carefull. This is not about physical access. This is user priviledge escalation.

Example situation: Neowin comments section is publicly accessable. But if any registered user would find way to make himself moderator, that would be flaw. Privelege escalation flaw.