When will Apple patch the Lion flaw that stores passwords in clear text?

When will Apple patch the Lion flaw that stores passwords in clear text?

Summary: An Apple developer enabled a debug log file in OS X 10.7.3 that stores user passwords in clear-text -- and a user posted the flaw on Apple's Support Communities over three months ago.


Lion flaw exposes user's passwords in clear text - Jason O'Grady

There's a major security bug in the currently shipping version of OS X Lion (10.7.3). ZDNET's own Emil Protalinski and Ed Bott exposed it after it was first reported by security researcher David Emery on the Cryptome mailing list.

Users of Apple's FileVault encryption that upgraded from Snow Leopard to OS X Lion update 10.7.3 (build 11D50) were apparently victimized by a piece of errant code that turned on a system-wide debug log file containing the login passwords of every user that logged in since the update was applied -- stored in clear text.

The log file in question is accessible outside of the encrypted area giving anyone with administrator or root access the user credentials for an entire encrypted partition. And it gets worse. Even if you're not an admin or root user, all it takes is physical access to the machine and the data's up for grabs. You can also access the log file via FireWire Disk Mode and read the encrypted partition.


Protalinski writes:

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

Sophos' Chester Wisniewski writes:

Vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.

The worst part? The bug was also mentioned on the Apple Support Communities exactly three months ago and was never addressed.

If you're concerned about the bug you can contact: product-security@apple.com. The only fix as of now is to perform a full disk encryption using Apple's FileVault 2 and purge all backups of the vulnerable partition.

Apple: you're on the clock.

Update: Dave Emery explains that it's trivial to test to see if Apple fixed the flaw in OS X 10.7.4 build 11E53 which was released to Apple developers on May 1 if you have a legacy FileVault partition. Lion doesn't directly allow you to create a new FV1 partition in the GUI, although you can do so by hand.

If you have a FV1 partition and feel like testing it, here are the steps. Email me a screenshot of your results and I'll add them to this post.

  1. Install Snow Leopard on a spare hard drive and allow it to fully update from Apple.
  2. Using Snow Leopard, activate Filevault on a test account and choose some unique unusual password for the account. This should create a Filevault legacy partition for that account and the associated sparsebundle file.
  3. Use the Lion installer to install 10.7.3 on the test hard drive upgrading the Snow Leopard to 10.7.3 and preserving the test user legacy Filevault partition - you may be asked if you want to do this.
  4. Log in and out to the test account a few times...
  5. Then using terminal (eg a unix shell) grep for the unusual password string in the files in /var/log... (eg grep unusualpassword /var/log/*)
  6. You should find your unusual password string in one of the files there...
  7. Upgrade the 10.7.3 to prerelease 10.7.4
  8. Try the same thing...

Topics: Apps, CXO, Software Development, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If Apple will allow such bugs and will slow to fix it, then it deserves all

    ... the beating from the likes of professional Microsofrians like Bott. Ed might be FUD against Apple for years, and it is a shame, but on some occasions like this one he was not "FUDing" and delivered the beating of Apple fairly.

    The more Apple gets beaten for this, the better they will try to work more accurately and faster. This is the whole point of existence of the free press.

    Jason O'Grady has long history of uneasy character and behaviour issues when it comes to Apple, but when he beats the company fairly, then it is good, too.

    Good work, sirs.
    • Finally he gets it

      The Apple community does not do itself a favor when it gives Apple a pass for everything. We've been telling you this for years. Glad to see you finally got it. I hope this will lead to a new and improved DeRSSS.
      • I am trying to be objective as possible

        And I always tried. For example, when discussing smartphones, I always mention speed characteristics. Particularly, integer calculation speeds were often significantly faster on competing devices rather than on Apple's, which was more about GPU.
  • Hehehe

    I do love the way that the update states it is "trivial" to check for this problem, but then involves OS installs, multiple upgrades, second HDDs, encryptions and Linux-style command line doohickery...

    Only kidding, good catch for those that saw this!
  • Clearly Apple is pandering to the bloggers of doom

    As in, giving them yards of room to rant and foam. Well done Apple.
  • I'm Not Clear On This

    Is this only when using legacy FileVault? I don't use FileVault, I don't use admin logins because I use a regular user account, I have password protected my firmware four years ago so you can't boot from CD/DVD/USB/Firewire unless you know/guess my password.
  • Errr......

    You wonder [outside of techies] how many Apple user's know of the latest Apple security screw-up.
    Then there will be the true fanbois and fangurls who will say that it is just propoganda from ______ (fill in the blank but most likely either Microsoft, Google or Samsung).
  • The only fix

    "The only fix as of now is to perform a full disk encryption using Apple's FileVault 2 and purge all backups of the vulnerable partition."

    Can't you just encrypt the backup drive with FileVault 2?