He then said, "Dad let me show you something". He opened the lid and it showed the login screen with my name and an empty password field. On that same login dialog box he changed the user name to his name and entered his password. The expected result here should be that it should log him into his account right? The actual result is that the Mac lets him unlock the screen using his password and actually use my account as if it was me who had entered my own password!
This is obviously a huge security flaw. A user of a machine can access another user's account on the same machine and have full control over applications and files and impersonate that user any time.
Has anyone else seen this? I am amazed that Apple has not come across this before and has not fixed this. Can anyone else verify that they can do this on their Mac? Does anyone know whether this was fixed in Snow Leopard?
