Skip to main content

Bug in Mac OS X 10.7.3 exposes passwords in plain text

Security researcher David Emery (via ZDNET) claimed to have discovered a bug in Mac OS X 10.7.3 that stores login passwords in plain text. In a recent newsletter, he claimed someone—we are guessing an Apple programmer— mistakenly “turned on a debug switch (DEBUGLOG)” that stores the passwords in a system-wide debug log file. Emery explained folders encrypted with Apple’s “legacy” Filevault prior to upgrading to Lion are at risk:

…anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012… This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

It would also allow them to access any content those usernames and passwords are meant to protect. Fortunately, the file with stored passwords is only kept for “several weeks” by default. However, it extends to Time Machine backups, because the log file is also backed-up in plain text. Emery said the best method to protect yourself until Apple fixes the issue is to simply use FileVault 2:

One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk… And one can provide further weaker protection by setting a firmware password which must be supplied before one can boot the recovery partition, external media, or enter firewire disk mode –  though there is a standard technique for turning that off known to Apple field support (“genius bar”) persons.

We expect Apple will get around to fixing this bug quickly as it picks up more press, but as ZDNET pointed out, the bug was raised in the Apple Support Communities three months ago with no replies. We will keep you updated when Apple responds.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s Logic Pros series.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications