Aussie Researcher Cracks OS X Lion Passwords 165
daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."
Not really cracking the passwords. (Score:4, Informative)
Here's the full details. (Score:5, Informative)
Not good, but not a panic situation (Score:4, Informative)
So looking at it, basically what it comes down to is you can effectively get at the shadow file as any user. That does indeed mean you can get the hashes to attempt to crack passwords. This isn't a good situation, and isn't how it should be. On any UNIX you should have to be root to get at the shadow file, on Windows you must be an administrator (and running elevated, if UAC is on) to get at the SAM file.
However, do note that it is just a set of hashes. So you still have to crack the password. So long as the passwords are good, this really doesn't get you anywhere. If you've ever messed with this you find that things quickly get impossible so long as passwords are reasonably long. As such, if you have good passwords, this isn't a huge problem.
That said, I think we'll want to send out a warning to our Mac types today since they seem to think Macs make them immune to security issues and as such are prone to bad passwords. Perhaps this can help convince them to adopt better password standards since, really, that is one of the big keys to good security these days.
Re:Not really cracking the passwords. (Score:4, Informative)
for this to work, a particular java app must be installed and run on a website which is run on the Mac OS X computer. .
No, that's just one attack vector suggested in the article to illustrate how this could be abused.
This is all possible, but basically FUD
ANY application which runs with a regular user permission CAN access the hashes for ALL the user passwords on the system.
That's not FUD. Also, the method described is not just possible, that's exactly how many infections occur these days.
Re:Not good, but not a panic situation (Score:4, Informative)
Does sound kind of serious, maybe (Score:4, Informative)
Here is a bit from TFA-
"This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible."
It's not exactly a 1-2-3 step action. Also, the article never said he actually cracked any passwords, though he claims-
"Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. "
Little bit more backup would be a good thing, here.
Re:Here's the full details. (Score:5, Informative)
Even better is the researchers' own blog post [defenceindepth.net]
Re:Extremely Serious (Score:4, Informative)
According to the FTFA, you can only reset passwords for the currently logged in user. It doesn't say anything about resetting other user's passwords:
Still not good, but not nearly as bad as you suggest. Now, all that said, I don't have a Lion system on which to test resetting another using password using dscl. I can only hope it doesn't work.