Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Researcher Cracks OS X Lion Passwords

Posted by samzenpus on from the all-your-passwords-are-belong-to-me dept.

daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."

4 of 165 comments (clear)

  1. Not really cracking the passwords. by Anonymous Coward · · Score: 4, Informative

    He's not really cracking the passwords. He's just found a way to read the hash and salt from each users shadow file without root privileges. It's fairly serious, but the hashes still need to be brute-forced.

    1. Re:Not really cracking the passwords. by Anonymous Coward · · Score: 4, Informative

      for this to work, a particular java app must be installed and run on a website which is run on the Mac OS X computer. .

      No, that's just one attack vector suggested in the article to illustrate how this could be abused.

      This is all possible, but basically FUD

      ANY application which runs with a regular user permission CAN access the hashes for ALL the user passwords on the system.
      That's not FUD. Also, the method described is not just possible, that's exactly how many infections occur these days.

  2. Here's the full details. by Core+Condor · · Score: 5, Informative

    http://www.techgineering.org/2011/09/22/2489/a-new-exploit-in-os-x-lion-allows-unauthorized-access-to-users-to-change-password/ - A New Exploit in OS X Lion Allows Unauthorized Access To Users to Change Password

    1. Re:Here's the full details. by spydir31 · · Score: 4, Informative

      Even better is the researchers' own blog post