OS X Lion security blunder exposes login passwords in plain text

By on May 7, 2012, 9:30 AM

Security researcher David Emery has exposed what it claims is a major security bug in the currently shipping version of OS X Lion (10.7.3), which causes login passwords to be stored in a plain text file. The flaw specifically affects users of Snow Leopard who used the FileVault encryption option for their home directories, then upgraded to Lion but didn’t activate the full-disk encryption of FileVault 2.

According to Sophos’ Naked Security blog it appears that a debug option was accidentally left enabled in the most recent version of Mac OS X, 10.7.3, which turns on a system-wide debug log file that contains the login passwords — in clear text — of every user who has logged in since the update.

The log file containing users’ passwords is stored outside of the encrypted area for several weeks and is accessible to anyone with administrator rights. According to Emery, the data in the log can also be accessed by booting the machine into FireWire disk mode, working as a hard drive to another computer, or if a user uses the super-user shell from the recovery partition to mount the main file system partition.

Apparently, the bug was originally spotted by a user named "tarwinator" on the Apple Support Communities forums less than a week after Lion came out on February 1, but nobody commented on it until this past weekend. Apple has yet to acknowledge the problem.

In the meantime, those who are using the legacy FileVault version are encouraged to perform a full disk encryption using Apple’s FileVault 2 and purge all backups of the vulnerable partition as well as deleting the /var/log/secure.log file. It would also be a good idea to change your password, especially if you perform backups to external drives or cloud services where the log file could remain stored.

Image via Apple Support Communities




User Comments: 18

Got something to say? Post a comment
Guest said:

oh, no!

I am holding my 10 lions in the wrong den!

seriously, the flaw was already reported as early as february 2012 and apple has yet to comment and issue a security fix?

mario mario, Ex-TS Developer, said:

10.7.4 should be released very soon, let's hope Apple addresses this issue by then, if they don't it would very irresponsible of them and could become catastrophic.

Scshadow said:

You're installing it wrong obviously. Lets be realistic here, you're using out dated software by not upgrading to File Vault 2.

/Cause Apple says so

captaincranky captaincranky, TechSpot Addict, said:

IT JUST WORKS! What's wrong with you people.

Guest said:

I can pull the passwords out of any windows machine in 2 minutes with a simple boot disk.

Unless a hard disk is fully encrypted, once you have the disk you have the data.

Sure it needs patching but beyond that the rest is just the usual lack of knowledge, paranoia, and dare I say it, invidious jealousy of the anti-apple zealots.

captaincranky captaincranky, TechSpot Addict, said:

....[ ]..... rest is just the usual lack of knowledge, paranoia, and dare I say it, invidious jealousy of the anti-apple zealots.
What are you suggesting that I am "invidiously jealous of", with respect to Apple products? That fact that they do too little, in respect to their too high price tag? Perhaps it's how shiny there are,. Shiny things fascinate me too! And who said we had nothing common?

Perhaps the fact that Foxconn has the Chinese working for practically nothing? Nothin' new there either, they did build our railroads for about the same wage.

Seriously though, there's an app for the iPhone that does on the fly language translation, that's dynamite!

Guest said:

The Chinese love working for nothing. They work for the make benefit of Glorious Motherland. Apple, like virtually all the technology giants, are helping them fulfill this most honorable duty.

Cota Cota said:

"security blunder"

This term is a paradox, since there's no such thing like security when it comes to actual security methods in any OS.

captaincranky captaincranky, TechSpot Addict, said:

"security blunder"

This term is a paradox, since there's no such thing like security when it comes to actual security methods in any OS.

True perhaps, but it also borders on being an oxymoron.

mario mario, Ex-TS Developer, said:

Perhaps the fact that Foxconn has the Chinese working for practically nothing? Nothin' new there either, they did build our railroads for about the same wage.

You do know this also applies to Microsoft, Samsung, Amazon, Acer, Cisco, Dell, HP, Intel, Motorola, Nintendo, Nokia, Sony, Toshiba, etc...

Do you build your smartphones and computer components on your own to avoid Foxconn manufacturing your products.

I just think it's very childish to comment only to complain that you don't like Apple products and how they are overpriced useless shiny objects when they've shown over and over how they innovate and set the pace for the future of technology. (See Macbook Air, iPads and iPhone) You do remember what the smartphone market looked like before the iPhone, see this if you don't: [link]

I personally do not care if you dislike Apple but this is trolling at its best:

IT JUST WORKS! What's wrong with you people.

Be happy, don't buy Apple products and don't bully those who do.

captaincranky captaincranky, TechSpot Addict, said:

You do know this also applies to Microsoft, Samsung, Amazon, Acer, Cisco, Dell, HP, Intel, Motorola, Nintendo, Nokia, Sony, Toshiba, etc...

Do you build your smartphones and computer components on your own to avoid Foxconn manufacturing your products.

I just think it's very childish to comment only to complain that you don't like Apple products and how they are overpriced useless shiny objects when they've shown over and over how they innovate and set the pace for the future of technology. (See Macbook Air, iPads and iPhone) You do remember what the smartphone market looked like before the iPhone, see this if you don't:

I do indeed, and I must say that an iPhone, coupled with a phone service contract, "the App Store", and an iTunes account, is one of the most elegant credit card milking "solutions" ever produced!

I also remember Apple's insulting advertising rants about how stupid Windows & PC user's are. Every stinking one of them. Don't you think "PC" looked like Bill Gates. And wasn't he just such a dolt? So I guess, in that regard, Apple's is just reaping what they've sown to me, from me.

I personally do not care if you dislike Apple but this is trolling at its best:
We'll that's just because I know you're here to come to Apple's rescue by bullying me with their propaganda. And yeah, many other products are made in China, but they don't quite seem to be milking the huge profit margins out of them that Apple is.

Be happy, don't buy Apple products and don't bully those who do.
You should take some of your own advice, and "be happy". You're obviously comfortable with your purchasing decisions, what difference does it make in that regard, what I think? You're smug, I'm bitter, this forum is big enough for both opinions.

And thanks for the "trolling at its best" acknowledgment! It's always nice to be praised for one's efforts....

mario mario, Ex-TS Developer, said:

If other companies do not generate profits by using the same manufacturers then that's their problem. But Apple is using the same manufacturing resources than it's competitors. Apple is actually one of the few companies that push for better working conditions in Foxconn, they do have the entire world watching their every move.

Anyways my point was that using the Foxconn argument just shows your bias against Apple when you can say the same thing about almost every other major technology company in the world.

Next time bully with better arguments and please do not take any compliments when there are none :P

captaincranky captaincranky, TechSpot Addict, said:

If other companies do not generate profits by using the same manufacturers then that's their problem. But Apple is using the same manufacturing resources than it's competitors. Apple is actually one of the few companies that push for better working conditions in Foxconn
Actually, I think it was ABC's "Nightline" expose' of Foxconn's factory that helped precipitate the onset of Apple's social conscience. Well that, and the explosions. You know, the factory with the suicide nets around it's dormitories.

Usually when executives are suddenly, "told the truth", about situations like this, they respond with a big outpouring of, (mock), public indignation..! And doubtless Apple's honchos are no different in this respect.. Show me a sweatshop, and I'll show you an indignant, "concerned", executive, making eight figures a year. And so it goes.

I'm going to head over to YouTube, and be publicly degraded by Apple's, "I'm a PC" campaign reruns. Wouldn't you like to have been the troll that wrote that deceptive, insulting, batch of garbage?

Guest said:

Don't mess with the Crankster. He has more wit in the white head on his zit than a zillion merry O's.

Guest said:

It's Apple how can this be ?

ha ha ha

mario mario, Ex-TS Developer, said:

OS X 10.7.4 released issue fixed, move along...

mario mario, Ex-TS Developer, said:

Actually, I think it was ABC's "Nightline" expose' of Foxconn's factory that helped precipitate the onset of Apple's social conscience. Well that, and the explosions. You know, the factory with the suicide nets around it's dormitories.

You do know the mass suicide threats where on Foxconn's Xbox plant right?

And about the "I'm a PC" campaign they were bashing Windows not Windows' users. Unlike Samsung.

captaincranky captaincranky, TechSpot Addict, said:

You do know the mass suicide threats where on Foxconn's Xbox plant right?
Well, ABC was touring the iPad installation when the showed the dorms and nets. I suppose they were committing fraudulent journalism? They toured another plant? You're actually delusional, or at least "apple-otized. An Apple CEO comes out and says "he's against underpaid workers and excessive hours", after the the issue comes to light, and your head spins right in time with the hype. That's what they all say! A man making eight figures a year comes out abd says, "I'm against sweatshops". What exactly would you expect he would say? "We'd pay them less, if we thought we could get away with it". Every unfair labor situation that comes to light has an "indignant" CEO saying, "we're going to get to the bottom of this"!

And about the "I'm a PC" campaign they were bashing Windows not Windows' users.
I didn't bring Samsung into this, why did you? Is Samsung pertinent to this discussion? I don't want one of their phones either. Let your iPhone siphon out your bank account, Apple's shiny things are apt to do that.

When an advertiser trashes a product, you have to expect the product's devotees, will take offense at it. If someone says the product you embrace is dumb and ill conceived, one has to expect that its users are perceived likewise.

Read about the American behavioural psychologist, John Watson. http://en.wikipedia.org/wiki/John_B._Watson After he "invented", "behavioural pshchology", he quit and went into advertising. So now tell me, "do you think Madison Ave is yanking your head in circles by accident"? Most likely it's because they've had extensive training in propaganda techniques.

This is easily borne out by the fact you don't think I'm entitled to my opinion about Apple's product or relevance.. Or to hear you go on, I'm a troll, and you're a savant. Or as I explain it, "ring the iBell, and the Apple customer salivates". (I've also read a few pages of Pavlov).

So, let's clear this up, I avoid Samsung products to an only slightly lesser degree than I do Apple products.Them I avoid altogether. I won't so much as by a song from iTunes. If your consumption af Apple's products and services conveys a sense of superiority upon you, so be it. Please consider sparing us your outpouring of joy.

Now, I'm sick and tired of listening to doggerel, nonsense, being talked down to, condescended to, and patronized by Apple's press machine. If being told something like, "if you don't have an iPhone, then you don't have an iPhone resonates with you, I extend you my sympathies.

Switching gears for just a moment, earlier this evening there was a message posted on the forum, "We will be back in a few of minutes". Now I'm sure you're aware Julio wants communication in the forums in English.

English speakers don't use the preposition "of" (de) in the same way native Spanish speakers do.

Po ejemplo, el perro esta de bajo de la mesa", is streamlined to, "the dog is under the table". "Under of the table" doesn't fly.

Y requerda, "por usted, se lo haga"........!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.