Password Change Issue Affects Mac OS X

Posted on September 19th, 2011 by

A Mac OS X bug has surfaced whereby any local user can change that user's password using a simple Terminal command. This means that anyone who obtains physical or remote (such as via ssh) access to a Mac, and who knows this command - not something that your average user will know - can change the password for the current account, then log into it later and access their files, or, if it is an administrator's account, make changes to the system and access other files.

Until this is fixed, it's a good idea to take a number of precautions, especially if you leave your Mac accessible to others. First, disable automatic login. As we wrote in a recent Mac security tip, this means that you need to enter a password to access your Mac when you start it up. Next, make sure you use a different password for your keychain, so if someone does access your account, they still can't get at your passwords. Finally, in the General tab of the Security & Privacy preferences, check Require password immediately after sleep or screen saver begins. This means that you'll need to enter your password more often, but it's a lot safer. If you put your Mac to sleep when you leave it, then no one will be able to access it without your password.

Full protection can be obtained by running the following the following command in Terminal:

sudo chmod 100 /usr/bin/dscl

This limits access to the dscl command to all users other than root.

Apple will undoubtedly issue a security update to fix the bug quickly. In the meantime, the above tips should help you protect your Mac and your files.

  • Maurits Sanders

    I cannot confirm the bug to change OTHER user’s password on 10.7.1. 
    Ars Technica reports that this command can change a user’s OWN password (without asking for the old password). (which is a bug too, but less serious)

  • Jeffrey Goldberg

    My understanding (and testing) also supports what Mauritis has said. Any user can change their own password without being prompted for their current password.

    If that user is in sudoers (any admin user for example) an attacker can change the user’s password and then run sudo.  So a small trojan could quickly gain full administrator powers.

    What I find particularly striking is that this is the second really big problem with Directory Services in Lion. The first is the LDAP authentication issues.  Apple has dropped the ball on this.



  • Doctor Velvetear

    Does anyone actually test the command properly , it asks for the original password after the new password…..

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}