The CentOS images (both the old and the recently updated version) have a world-writable /etc/shadow file. This image was in fact built from scratch and was not online at any point. I can only account this towards a mis-configuration of some kind when I built the image.
If you’ve deployed CentOS, please perform this as root:
[code]chmod 400 /etc/shadow[/code]
This has been corrected in the currently available CentOS image.
I’ve also sent out emails to everyone who has a CentOS image deployed.
I’m pretty sure that if you’ve ever added a user or changed a password that the permissions are corrected automatically.