Security researcher David Emery recently noted in a post to the Cryptome mailing list that the latest version of Mac OS X Lion leaves a debug option enabled in FileVault, which leaves users’ login passwords saved in plain text in a log file.
“Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree,” notes ZDNet’s Emil Protalinski. “They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.”
“Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password,” writes Sophos’ Chester Wisniewski.
“Emery said that users can partially protect themselves against the problem by upgrading to FileVault 2, which encrypts the entire disk drive and requires that a user know one password to access the encrypted partition,” writes Threatpost’s Dennis Fisher.
“Users should also set a firmware password which would be required on boot,” writes SC Magazine’s Darren Pauli. “Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.”
“Let’s hope Apple addresses this issue promptly with a security update that both closes the security hole from the debugging code, and also removes the log files that contain instances of user passwords,” writes CNET News’ Topher Kessler.