CNET’s MacFixIt blogger Topher Kessler reports a serious security goof on Apple’s part — a trivial hack by any user could allow them to change another user’s password, including the system admin’s. A patch for this vulnerability has not been released (as of this writing).
According to Kessler:
In addition to being able to extract the password hashes for a user, any user can also directly change another user’s password, including those of system admins, merely by supplying the following command in the Terminal (substituting USERNAME for the short name of the target account):
dscl localhost -passwd /Search/Users/USERNAME
When run, this command will appear to give an error, but if you enter the same new password at all prompts then the target account’s password will be changed. This is particularly notable, because once an admin’s password is changed, the hacker can log in as that admin account and have full access to the system.
Until a patch is released, Kessler recommends some steps to better secure your systems including disabling automatic login, enabling screensaver and sleep passwords, disabling Guest accounts, and setting up managed accounts rather than setting up user accounts with administrative privileges. For more details on the problem and some of the restrictions, see Kessler’s full report.