OS X Lion Exposes Login Details of FileVault Users

Posted May 7, 2012 at 1:45pm by iClarified | Please help us and submit a translation by clicking here | 5941 views

With the latest Lion update Apple accidentally turned on a debug log file that exposes a user's password in plain text, reports ZDNET.

An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

The security flaw only applies to users who used FileVault prior to upgrading to OS X Lion and did not switch to FileVault 2.

David Emery, the security researcher who made the discovery, says:

"This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for. "

Mac OS X version 10.7.3 was released on February 1, 2012 and the flaw was reported shortly after on Apple's Support Communities; however, it hasn't been fixed yet. ZDNET has also contacted Apple directly requesting an update.

Read More


Share
Add Comment
Follow iClarified
How to Enable Dark Mode in OS X 10.10 Yosemite
Instructions on how to enable Dark Mode in Ma...
Apple Announces World AIDS Day 2014 Campaign for (RED)
Apple has announced its largest-ever World AI...
Apple Updates GarageBand With Limited Time (GarageBand)RED Loop Pack
Apple has updated GarageBand with a limited t...
Evernote Updates Penultimate Following User Complaints
Evernote has updated its Penultimate app to a...
MythBusters Explain Gorilla Glass and Demonstrate Its Strength [Video]
Adam Savage and Jamie Hyneman of MythBusters ...