The user password on an OS X Lion system is an important bit of information. It is required not only to log in, but also to make important system changes. If you know it, you’ll be able to make changes to important system settings, which means any attack against it is a concern.
Patrick Dunstan of the blog Defence in Depth has discovered an exploit that uses a command line program to retrieve password hashes and, more importantly, change account passwords without any form of authentication. Type in the proper command and a prompt for changing an account’s user password appears.
Such an attack has severe implications, as it would both give an attacker full user account access and lock out the legitimate user. The good news is that accessing this command line program generally requires physical access to the computer, although it’s conceivable for an attacker with remote access to pull off this trick as well.
Apple has not yet responded, which isn’t surprising, as Defence in Depth only posted this exploit on September 18th. There has been little time for Cupertino to react with a patch. In the meantime, users should be careful to limit physical access to their computers and keep website visits on the straight-and-narrow. You could also try installing a third-party firewall to prevent unwanted remote access.