Researcher claims flaw allows passwords to be changed without knowledge of the logged in user's password A security research claims that a flaw in Mac OS X 10.7 Lion could allow passwords to be changed without knowledge of the logged in user’s password.The unnamed researcher, writing on the Defence In Depth blog, said that the redesign of Lion’s authentication system had somehow allowed non-root users the ability to view password hash data.Chester Wisniewski, writing on the company’s Naked Security blog, said that the flaw appears to be related to Apple’s move towards a local directory service in OS X 10.7 which has permissions set in an insecure manner.“An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required. Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder,” he wrote. “Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it. This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.”Wisniewski said he was unable to replicate findings from Cnet that the flaw would also allow someone to change other users’ passwords. Hopefully the report will spur Apple to release a fix soon, after the company was criticised for its tardy response to the DigiNotar breach. However, the flaw exists in beta versions on Mac OS X 10.7.2, Wisniewski said.He recommends using a secure password to prevent brute force attacks against your account using stolen hashes; enabling the screensaver and set it to prompt you for your password; disabling automatic logon and using a ‘Hot Corner’ or the Keychain lock to lock your screen. Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe