When you run sudo, a timestamp file is generated that sudo will then check on subsequent runs of the command allowing the user to continue to run privileged commands without having to type their password every time for a given amount of time (typically 5 minutes). Running `sudo -K` removes the timestamp file to force the user to re-enter their password on the next run of the command, but starting with version 1.6, `sudo -k`, which was an alias for `sudo -K` (I think), was changed to reset the timestamp file to the epoch (January 1st, 1970, 01:00).

This vulnerability allows a user that already has sudo ability to infinitely allow themselves the ability to run any command they already have privilege to run under the given system's sudo configuration without a password forever, because resetting the system clock to the epoch tricks sudo into thinking that sudo has just always been authenticated to run without a password.

This vulnerability does not allow users that already do not have any sudo privileges to obtain them, nor does it allow any users with sudo privileges the ability to run any command with sudo if they are restricted to certain commands.

This is a very old bug on UNIX-like systems. - I'm surprised it's still around on OS X (and surprised that this is news).

IIRC, it's because sudo -k checks whether the current time > time_at_which_you_entered_password + ttl[0]

By resetting this clock, you make the current time before this cutoff, therefore fooling the computer into thinking you don't need to enter a password.

[0] ie, how long it takes for your password to "expire" before requiring you to enter it again.