Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Did my cat just discover a MAJOR OSX security bug? (ability to reset passwords....)

N

NOLF1

macrumors member
Original poster
Sep 5, 2009
39
10
This is a serious post. I am asking people to see if they can duplicate this.

I think my cat may have just discovered a major Snow Leopard security bug.

My cat has a tendancy to get up on my desk and walk around on my key board. So in order to prevent him from messing anything up I logged out of my account on snow leopard, and left the mac sitting at the logon screen.

My mac is configured to prompt for a user name and password at every login.

So my cat was standing on my keyboard while the mac was sitting on the login screen. He was just sitting on random keys for a few minutes.

So I hit ENTER (which would normally clear a bogus password). Guess what it did instead? I got a message saying "Your password is too long" and a prompt to MAKE A NEW PASSWORD letting me create a new one!

I have been able to duplicate this consistently the past 20 minutes.

Can anyone else duplicate this? To duplicate this - Configure your snow leopard install to ask for a password and user name to login. Then log out and you should have the screen with your user name and a blank password field.

HOLD DOWN any letter key on your keyboard. The letter "A" for example. HOLD IT DOWN FOR 3-5 MINUTES. Then press enter on the keyboard. Instead of the password field clearing its self you get a screen saying your password is too long letting you make a new password for the account!

This means anyone can create a new password and login to a Mac simply by holding down a key for a few minutes.

I am doing this on an Imac Core 2 Duo system with snow leopard. I do not have any other macs to test if this happens on OS 10.5 or earlier.
 
If I'm following this right...

1. Your system is configured to require both the username AND password be typed in.
2. You saw a password too long error.

#1 and #2 combined suggests your cat correctly guessed your username and walked or sat on the appropriate keys for your entire username in the correct order including the Enter key before getting to the password field...?

Incidentally, with a typical setup, anyone can reset a password when at a Mac without knowing the administrator's password by booting off the DVD or booting into single user mode to change a password for any user.
 
electroshock said:
If I'm following this right...

1. Your system is configured to require both the username AND password be typed in.
2. You saw a password too long error.

#1 and #2 combined suggests your cat correctly guessed your username and walked or sat on the appropriate keys for your entire username in the correct order including the Enter key before getting to the password field...?

Incidentally, with a typical setup, anyone can reset a password when at a Mac without knowing the administrator's password by booting off the DVD or booting into single user mode to change a password for any user.
Click to expand...

There is no way he correctly guessed it. It is over 20 characters long.

Literally try this. Hold down a letter on the keyboard for 3-5 minutes on the login screen just filling the password box with that letter during that time. You will get a screen asking you to change the password.
 
Okay so it shows you a 'change your password screen'. Have you tried changing it to a new password? Does it actually change it? I think it wouldn't be a security bug unless you can actually change it. Showing that screen and then a 'access denied' or something is plausible and still safe.
 
electroshock said:
If I'm following this right...

1. Your system is configured to require both the username AND password be typed in.
2. You saw a password too long error.

#1 and #2 combined suggests your cat correctly guessed your username and walked or sat on the appropriate keys for your entire username in the correct order including the Enter key before getting to the password field...?

Incidentally, with a typical setup, anyone can reset a password when at a Mac without knowing the administrator's password by booting off the DVD or booting into single user mode to change a password for any user.
Click to expand...

No, that is not the problem. The problem is that a very long incorrect password, will cause the reset password screen to be displayed and it will only ask for a new password, without prompting for the current one. I was able to reproduce this so the bug definitely does exist. However I wasn't able to get password changed using the screen that appeared, so I'm not sure that it is an actual security threat (a question to the OP: did you try changing your password using the change password fields that appeared and if so did it work? I was unable to get the change password screen to do anything, the login screen just reset after trying to use it a few times).
 
Also, even if this works - physical access = compromised machine with very few exceptions. It's a simple matter to remove drives and access data. Obviously, OSX file permissions makes it more difficult than on a M$ machine. Only file vault and perhaps PGP can render secure data storage.
 
brkirch said:
No, that is not the problem. The problem is that a very long incorrect password, will cause the reset password screen to be displayed and it will only ask for a new password, without prompting for the current one. I was able to reproduce this so the bug definitely does exist. However I wasn't able to get password changed using the screen that appeared, so I'm not sure that it is an actual security threat (a question to the OP: did you try changing your password using the change password fields that appeared and if so did it work? I was unable to get the change password screen to do anything, the login screen just reset after trying to use it a few times).
Click to expand...

Yes I was able to change it.
 
kufford said:
Also, even if this works - physical access = compromised machine with very few exceptions. It's a simple matter to remove drives and access data. Obviously, OSX file permissions makes it more difficult than on a M$ machine. Only file vault and perhaps PGP can render secure data storage.
Click to expand...

Still a bug like this should not exist. No point in even having the log on password option then.
 
NOLF1 said:
Yes I was able to change it.
Click to expand...

Are you sure?

I just tested this on my Snow Leopard uMBP and it took me to the change password screen, I entered a new one and hit login, it paused for a moment, reset, then went back to the standard login screen. The password which I had just entered did not work - only my original one.

This was with my login screen set to user list, not name and password fields.

Odd that this happens though.
 
kufford said:
Also, even if this works - physical access = compromised machine with very few exceptions. It's a simple matter to remove drives and access data. Obviously, OSX file permissions makes it more difficult than on a M$ machine. Only file vault and perhaps PGP can render secure data storage.
Click to expand...

yetanotherdave said:
http://discussions.apple.com/thread.jspa?threadID=900924&tstart=0

If true, this dates back to Tiger, over 2 years ago.
Click to expand...

Interesting. That post you linked to was a similar situation happening with the screen saver password.

That suggests this bug could exist in other places around the OS that require a password as well......
 
Just some pictures for people who aren't sure what we are talking about (or to see if I'm getting something different to other people.

As I said before, it shows the normal login screen then took me to the change password screen, I entered a new one and hit login, it paused for a moment, reset, then went back to the standard login screen.
 

Attachments

  • DSC08090.JPG
    DSC08090.JPG
    1 MB · Views: 103
  • DSC08091.JPG
    DSC08091.JPG
    849.5 KB · Views: 104
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back