Security specialist Patrick Dunstan reports that Mac OS X 10.7 "Lion" allows standard non-root users to access other users' password hashes. Under Mac OS X, users' password hashes are stored in shadow files that can usually only be accessed by root users.
Dunstan said that, with Lion, Apple changed the authentication procedure and introduced a flaw that allows non-root users to read the password hashes from the shadow files via the directory services.

Using hashes, attackers can establish the original password via an automated brute-force attack. However, depending on password complexity, such an attack may take some time. As the passwords are salted when they are hashed, rainbow table attacks are very time-consuming.

The link for this article located at H Security is no longer available.