It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

Cracking OS X Lion Passwords.

This is a must-read if you are at all interested in security. There are no fixes currently available. Presumably, Apple will patch this vulnerability in a forthcoming security update.

defenceindepth.net

39 notes

Show

  1. jark posted this

Blog comments powered by Disqus