OSX 10.4 bug 3

This isn't really a bug as much as a security issue.

If you startup the Apple NetInfo manager, you can create information for networks, users, etc..

There's a new button, but it's not always immediately clear whether this will create a new field for the item you've selected, or a new type of item.

(That's fine - that's not the troublesome part)

Problem is, if you're trying to add a new field to a users netinfo, it's really easy to create a new user instead. And the default for any new object you create in Netinfo is 'new_directory'.

Furthermore, if you're not paying close attention, it's easy to miss that a new user was created instead of what you wanted, and it's also easy to forget or not delete that new user.

Out of curiousity, I wondered if the empty defaults for a user would be enough to login, and sure enough, an attempted login of user 'new_directory' allowed me to get on the machine with no password.

So, my thinking is this. There have to be some non-zero number of Macs out there that have created a new user by mistake and didn't notice or didn't delete. It wouldn't be hard to write a script that would search the net for OSX machines and then try to login as 'new_directory.'

But don't do that, of course. That'd be breaking the law. :)