Month-old Mac OS X Lion bug lets users bypass LDAP sans password

The vulnerability shows the sort of security scrutiny Apple must face as it gains enterprise traction

A bug in Mac OS X 10.7 Lion lets users authenticate sessions via LDAP without having to enter a correct password, so long as they key in a valid username. Apple is aware of the bug, which was initially reported as early as July 25, but there's no sign of when a fix will be forthcoming.

The development once again points to the level of security scrutiny Apple faces as the company gains traction in business. For years, Apple has garnered a reputation for having more secure platforms than rivals such as Microsoft, but Mac's rise from relative obscurity has made it a juicier target for cyber criminals.

Users are able to bypass authentication sans password via Lion's GUI as well as via an SSH server. Defenders of Apple may point out that Lion does not use LDAP by default, so the problem doesn't affect any and all users. Still, the authentication protocol is widely used in the business world, and this sort of vulnerability represents a potential threat.

In a discussion thread on the Apple Support Communities, one user noted that he attempted to resolve the problem by removing and re-adding the LDAP server. "The strange behavior that no password is needed was fixed, but now no LDAP user can by authenticated by password," wrote user JKasten83.

Until Apple comes up with a fix, the only remedy is to deactivate LDAP authentication for critical services, according to H-Online.

This story, "Month-old Mac OS X Lion bug lets users bypass LDAP sans password," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies