Did my cat just discover a MAJOR OSX security bug? (ability to reset passwords....)

Discussion in 'macOS' started by NOLF1, Oct 3, 2009.

  1. NOLF1 macrumors member

    Joined:
    Sep 5, 2009
    #1
    This is a serious post. I am asking people to see if they can duplicate this.

    I think my cat may have just discovered a major Snow Leopard security bug.

    My cat has a tendancy to get up on my desk and walk around on my key board. So in order to prevent him from messing anything up I logged out of my account on snow leopard, and left the mac sitting at the logon screen.

    My mac is configured to prompt for a user name and password at every login.

    So my cat was standing on my keyboard while the mac was sitting on the login screen. He was just sitting on random keys for a few minutes.

    So I hit ENTER (which would normally clear a bogus password). Guess what it did instead? I got a message saying "Your password is too long" and a prompt to MAKE A NEW PASSWORD letting me create a new one!

    I have been able to duplicate this consistently the past 20 minutes.

    Can anyone else duplicate this? To duplicate this - Configure your snow leopard install to ask for a password and user name to login. Then log out and you should have the screen with your user name and a blank password field.

    HOLD DOWN any letter key on your keyboard. The letter "A" for example. HOLD IT DOWN FOR 3-5 MINUTES. Then press enter on the keyboard. Instead of the password field clearing its self you get a screen saying your password is too long letting you make a new password for the account!

    This means anyone can create a new password and login to a Mac simply by holding down a key for a few minutes.

    I am doing this on an Imac Core 2 Duo system with snow leopard. I do not have any other macs to test if this happens on OS 10.5 or earlier.
     
  2. electroshock macrumors 6502a

    electroshock

    Joined:
    Sep 7, 2009
    #2
    If I'm following this right...

    1. Your system is configured to require both the username AND password be typed in.
    2. You saw a password too long error.

    #1 and #2 combined suggests your cat correctly guessed your username and walked or sat on the appropriate keys for your entire username in the correct order including the Enter key before getting to the password field...?

    Incidentally, with a typical setup, anyone can reset a password when at a Mac without knowing the administrator's password by booting off the DVD or booting into single user mode to change a password for any user.
     
  3. NOLF1 thread starter macrumors member

    Joined:
    Sep 5, 2009
    #3
    There is no way he correctly guessed it. It is over 20 characters long.

    Literally try this. Hold down a letter on the keyboard for 3-5 minutes on the login screen just filling the password box with that letter during that time. You will get a screen asking you to change the password.
     
  4. NP3 macrumors regular

    Joined:
    Jul 12, 2003
    Location:
    Los Angeles
    #4
    Okay so it shows you a 'change your password screen'. Have you tried changing it to a new password? Does it actually change it? I think it wouldn't be a security bug unless you can actually change it. Showing that screen and then a 'access denied' or something is plausible and still safe.
     
  5. brkirch macrumors regular

    Joined:
    Oct 18, 2001
    #5
    No, that is not the problem. The problem is that a very long incorrect password, will cause the reset password screen to be displayed and it will only ask for a new password, without prompting for the current one. I was able to reproduce this so the bug definitely does exist. However I wasn't able to get password changed using the screen that appeared, so I'm not sure that it is an actual security threat (a question to the OP: did you try changing your password using the change password fields that appeared and if so did it work? I was unable to get the change password screen to do anything, the login screen just reset after trying to use it a few times).
     
  6. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #6
    I too got the "change password" screen but was unable to actually change it.
     
  7. kmaute macrumors 6502

    kmaute

    Joined:
    Oct 5, 2008
    Location:
    USA
    #7
    Also, even if this works - physical access = compromised machine with very few exceptions. It's a simple matter to remove drives and access data. Obviously, OSX file permissions makes it more difficult than on a M$ machine. Only file vault and perhaps PGP can render secure data storage.
     
  8. NOLF1 thread starter macrumors member

    Joined:
    Sep 5, 2009
    #8
    Yes I was able to change it.
     
  9. NOLF1 thread starter macrumors member

    Joined:
    Sep 5, 2009
    #9
    Still a bug like this should not exist. No point in even having the log on password option then.
     
  10. mickbab macrumors 65816

    mickbab

    Joined:
    Sep 13, 2008
    Location:
    Sydney, Australia
    #10
    Are you sure?

    I just tested this on my Snow Leopard uMBP and it took me to the change password screen, I entered a new one and hit login, it paused for a moment, reset, then went back to the standard login screen. The password which I had just entered did not work - only my original one.

    This was with my login screen set to user list, not name and password fields.

    Odd that this happens though.
     
  11. NOLF1 thread starter macrumors member

    Joined:
    Sep 5, 2009
    #12
    Interesting. That post you linked to was a similar situation happening with the screen saver password.

    That suggests this bug could exist in other places around the OS that require a password as well......
     
  12. mickbab macrumors 65816

    mickbab

    Joined:
    Sep 13, 2008
    Location:
    Sydney, Australia
    #13
    Just some pictures for people who aren't sure what we are talking about (or to see if I'm getting something different to other people.

    As I said before, it shows the normal login screen then took me to the change password screen, I entered a new one and hit login, it paused for a moment, reset, then went back to the standard login screen.
     

    Attached Files:

Share This Page