Serious Security Vulnerability in Mac OS X?

2009-10-31T15:55:00.000-07:00

My 14 year old son pointed this one out and I was shocked when I saw him do this on the Mac. We both have user accounts on the same machine (both with admin privileges) which is a MacBook Pro running version 10.5.8 with all the latest updates. With my account logged in I shut the lid and put the Mac to sleep.

He then said, "Dad let me show you something". He opened the lid and it showed the login screen with my name and an empty password field. On that same login dialog box he changed the user name to his name and entered his password. The expected result here should be that it should log him into his account right? The actual result is that the Mac lets him unlock the screen using his password and actually use my account as if it was me who had entered my own password!

This is obviously a huge security flaw. A user of a machine can access another user's account on the same machine and have full control over applications and files and impersonate that user any time.

Has anyone else seen this? I am amazed that Apple has not come across this before and has not fixed this. Can anyone else verify that they can do this on their Mac? Does anyone know whether this was fixed in Snow Leopard?

Orestes Melgarejo

Serious Security Vulnerability in Mac OS X?