OS X Lion login passwords in clear text {UPDATED}

mac_os_x_filevault_exposed

Update May 15, 2012:

Apple released OS X 10.7.4 update to fix this issue on May 9.  It is strongly recommended that you install this update ASAP if you’re running OS X Lion. 


OS X Lion login passwords in clear text

If you are using “legacy” (older, pre-Lion) FileVault encryption and had upgraded to Mac OS X 10.7.3.

Apparently someone turned (left) on the debug flag in the latest update of OS X that turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.. This allows root or admin user to see user credentials for an encrypted home directory tree because the log is outside of the encrypted area.

This flaw was originally discovered (or published) by Dave Emery, and you can read his post here: http://cryptome.org/2012/05/apple-filevault-hole.htm

There is currently no fix for the bug (other than disabling FileVault or upgrading to FileVault 2) — Apple knows about it, just hasn’t done anything yet.

FileVault 2 (whole disk encryption) is not affected by this bug.

Source: Newsy (Greg Young)

See Also:

When will Apple patch the Lion flaw that stores passwords in clear text? (ZDNet article)

How to manage the FileVault password hole in OS X 10.7.3 (CNET article)

Apple update to OS X Lion exposes encryption passwords (Sophos article)

 

 

With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the