A Mac OS X bug has surfaced whereby any local user can change that user’s password using a simple Terminal command. This means that anyone who obtains physical or remote (such as via ssh) access to a Mac, and who knows this command – not something that your average user will know – can change the password for the current account, then log into it later and access their files, or, if it is an administrator’s account, make changes to the system and access other files.
Until this is fixed, it’s a good idea to take a number of precautions, especially if you leave your Mac accessible to others. First, disable automatic login. As we wrote in a recent Mac security tip, this means that you need to enter a password to access your Mac when you start it up. Next, make sure you use a different password for your keychain, so if someone does access your account, they still can’t get at your passwords. Finally, in the General tab of the Security & Privacy preferences, check Require password immediately after sleep or screen saver begins. This means that you’ll need to enter your password more often, but it’s a lot safer. If you put your Mac to sleep when you leave it, then no one will be able to access it without your password.
Full protection can be obtained by running the following the following command in Terminal:
sudo chmod 100 /usr/bin/dscl
This limits access to the dscl command to all users other than root.
Apple will undoubtedly issue a security update to fix the bug quickly. In the meantime, the above tips should help you protect your Mac and your files.