Mac OS X Security Flaw Exposes Passwords in Plain Text

Security researcher David Emery recently noted in a post to the Cryptome mailing list that the latest version of Mac OS X Lion leaves a debug option enabled in FileVault, which leaves users’ login passwords saved in plain text in a log file.

“Tech-support forum mentions of the flaw date back to early February, just after the 10.7.3 update was pushed out by Apple’s servers,” notes SecurityNewsDaily’s Paul Wagensell.

“Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree,” notes ZDNet’s Emil Protalinski. “They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.”

“Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password,” writes Sophos’ Chester Wisniewski.

“Emery said that users can partially protect themselves against the problem by upgrading to FileVault 2, which encrypts the entire disk drive and requires that a user know one password to access the encrypted partition,” writes Threatpost’s Dennis Fisher.

“Users should also set a firmware password which would be required on boot,” writes SC Magazine’s Darren Pauli. “Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.”

“Let’s hope Apple addresses this issue promptly with a security update that both closes the security hole from the debugging code, and also removes the log files that contain instances of user passwords,” writes CNET News’ Topher Kessler.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles