Defence in Depth has discovered a security risk in Mac OS X Lion that lets local users change the passwords of any account, reports CNET.
The site explains that OS X user passwords and encrypted and stored in "shadow files" which are placed in secure locations on your hard drive. Security permissions only allow the owner and administrators to access these files.
Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. The problem at hand appears to be because of a permissions oversight that allows all users search access to the system's directory services.
Recommended Steps Until Apple Releases Fix:
1. Disable automatic log-in
2. Enable sleep and screensaver passwords
3. Disable Guest accounts
4. Parental Controls
5. Manage users on the system
Read More [via CNET] [via
The site explains that OS X user passwords and encrypted and stored in "shadow files" which are placed in secure locations on your hard drive. Security permissions only allow the owner and administrators to access these files.
Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. The problem at hand appears to be because of a permissions oversight that allows all users search access to the system's directory services.
Recommended Steps Until Apple Releases Fix:
1. Disable automatic log-in
2. Enable sleep and screensaver passwords
3. Disable Guest accounts
4. Parental Controls
5. Manage users on the system
Read More [via CNET] [via