AAPL Stock: 117.81 ( -0.22 )

Printed from

Lion security hole lets hackers change account passwords

updated 04:30 pm EDT, Mon September 19, 2011

Works without root access

OS X Lion has a serious security vulnerability allowing hackers to alter the password of any user account, writes security blog Defence in Depth. The OS reportedly allows non-root users the ability to view password hash data. As a consequence, an attacker can potentially use a basic Python script to glean a person's password.

Aggravating the situation is that Lion doesn't require a password to change a current user's login. Entering the command "dscl localhost -passwd /Search/Users/______," with the blank substituted by a person's account name, will therefore prompt for a new password. Keeping the threat under control at the moment is that an attacker needs local access to a Mac, as well as Directory Service access.

Several extra safeguards are suggested. These include disabling automatic logins, turning on sleep and/or screensaver passwords, and finally shutting off guest accounts. Except for the guest accounts, the tips are common Mac security measures.

by MacNN Staff



  1. Eldernorm

    Joined: Dec 1969


    So, you are saying

    That if someone breaks in late at nite, they can hack my computer....

    Of course, if they steal it, they get to keep the computer too... Hmmmmm!!!

    This does mean that its possible to do ID theft by stealing the computer. But usually break in people are not looking for ID theft.

    Just a thought,

  1. facebook_Francis

    Via Facebook

    Joined: Sep 2011


    Why would you post this

    While I understand that you at MacNN mean to inform us about it, giving us the code to use is ridiculously stupid. How do you know that I'm not a hacker who has physical access to a high-profile Lion computer?

    I'd recommend removing that bit of code there.

  1. facebook_Collin

    Via Facebook

    Joined: Sep 2011


    Almost News

    Let me know if someone manages to exploit this in the wild without physical access to the machine before Apple patches this. Then I will be alarmed, afraid, impressed etc...

  1. facebook_Newton

    Via Facebook

    Joined: Sep 2011


    I don't think the author actually tried this

    In order to change a user's password with the directory services command line tool you're prompted for the user's existing password. Otherwise, the command fails.

    MacBookPro:$ dscl localhost -passwd /Search/Users/test
    New Password:
    Permission denied. Please enter user's old password:
    passwd: DS error: eDSAuthFailed
    DS Error: -14090 (eDSAuthFailed)

  1. lkrupp

    Joined: Dec 1969


    Kinda hard to excuse...

    I'm a bit amazed that this got by the beta testers and I agree that that physical access to any computer leaves it wide open. But it's also true that Apple critics/detractors will run around waving this in front of everyone they can find. The haters love this sort of thing and will try to make the biggest mountain out of it they can so I would expect to see a Lion security update relatively soon.

  1. burnin

    Joined: Dec 1969


    it worked 8l

    now you cant even open an app that you havent previously used..because you dont know if you can trust it... it may run this code, then enable SSH, then have full access to your computer and files..
    Enable Firewall !

    Comment buried. Show
  1. imNat-imadouche

    Joined: Dec 1969


    Mac is another windows


  1. bjojade

    Joined: Dec 1969


    Physical Access Required

    You need physical access to the machine to run this. You do realize that with a boot CD, you can change account passwords as well. You can also boot to single user mode, without a CD and create a new admin account for the machine. Big deal.

  1. ggirton

    Joined: Dec 1969


    not shakin'

    After what I've read here, let's just say I'm not shakin' and I'm not quakin'. Because it looks like if you're at my house, and you know my password, you can change it with a program.

    Perhaps it was news of this serious "security hole" that caused AAPL stock to go up 11 points today while the rest of the market was tanking.

  1. thomasoniii

    Joined: Dec 1969


    comment title

    Physical access? Sure. But is there anything stopping a trojan app downloaded from somewhere from shelling out to the command, changing the password, then emailing out connection info to a black hat to ssh into your box.

    Yeah, yeah, if the user's behind firewalls and SSH is closed off and whatever (my home box only allows public key authentication), you're safe(r), but that's still requiring the end user to have their machine configured properly. That fails the mom test - if my mom can't figure out how to do it on her own w/o a prompt from me, it's not a reasonable request.

    This needs to be patched ASAP.

    In the meantime, since I'm overly paranoid, I did do this:

    sudo chmod go-x /usr/bin/dscl

    that removes execute permission from anyone except the file owner (which is root, in this case), with the end effect of requiring authorization. Note that I don't know if disabling execute for everyone else will cause problems or not, so take that paranoia with a grain of salt.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented