Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This looks both real and a pretty serious issue (I wonder how it went by almost a month without getting picked up by the security community). There's an discussion about it on Apple's own forums, linked below, but the gist of it is that users can authenticate over LDAP using any password using the login screen, and can't authenticate at all using su:

https://discussions.apple.com/message/15887083



Not many people in the security community use Mac servers in such a way that they need LDAP, and of those people, very few are running Lion on their servers.


I wasn't entirely clear from the link — Are Lion servers not being picky about passwords, or are Lion clients not being picky about LDAP authentication failing (hence not being able to mount the user's home folder)?

If the latter, the impact is bad, but not as bad (you'll be able to get access to the machine you're sitting at, but not to any server-side resources).


Wouldn't Mac clients need LDAP for authentification too?


Agreed that few are relying on Lion servers. But the security flaw is at the side of the Mac client, not the server. If you have Lion clients authenticating against OpenLDAD hosted on, say, a Linux server, then only the username is checked and any password is accepted. IMHO this is a serious security flaw that should be fixed as soon as possible by Apple.


It wasn't your bug to find, it was Apple's, and they should have found it far sooner.


Who are you talking to? Me? Did you read the comment thread? I'm not sure who you're arguing with, or why you picked me for this reply.


Yeah, you're right, I misposted. Sorry.


Are you saying that the fact that this issue doesn't effect many people means that it's not a serious security problem?


He's saying that since the issue doesn't affect many people it didn't get found right away. It is a serious security problem for businesses that use Mac OS X with LDAP. However, it's not a serious security problem for me.


It's been known for just under a month, since five days after OS X Lion was released, so that interpretation of his statement seems incorrect.


In the interest of expedience, let me be blunt: very few security researchers give a shit about how OS X Server uses LDAP.

We're all pretty busy lately, too.

(-2. You guys are funny. In case it matters: I'm not being snarky. They really don't).


> This looks both real and a pretty serious issue (I wonder how it went by almost a month without getting picked up by the security community).

Followed by:

> Not many people in the security community use Mac servers in such a way that they need LDAP, and of those people, very few are running Lion on their servers.

Therefore, we see that Mr. Ptacek thinks "it went by almost a month without getting picked up by the security community" because "Not many people in the security community use Mac servers".




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: