Security researcher David Emery has exposed what it claims is a major security bug in the currently shipping version of OS X Lion (10.7.3), which causes login passwords to be stored in a plain text file. The flaw specifically affects users of Snow Leopard who used the FileVault encryption option for their home directories, then upgraded to Lion but didn’t activate the full-disk encryption of FileVault 2.
According to Sophos’ Naked Security blog it appears that a debug option was accidentally left enabled in the most recent version of Mac OS X, 10.7.3, which turns on a system-wide debug log file that contains the login passwords — in clear text — of every user who has logged in since the update.
The log file containing users’ passwords is stored outside of the encrypted area for several weeks and is accessible to anyone with administrator rights. According to Emery, the data in the log can also be accessed by booting the machine into FireWire disk mode, working as a hard drive to another computer, or if a user uses the super-user shell from the recovery partition to mount the main file system partition.
Apparently, the bug was originally spotted by a user named "tarwinator" on the Apple Support Communities forums less than a week after Lion came out on February 1, but nobody commented on it until this past weekend. Apple has yet to acknowledge the problem.
In the meantime, those who are using the legacy FileVault version are encouraged to perform a full disk encryption using Apple’s FileVault 2 and purge all backups of the vulnerable partition as well as deleting the /var/log/secure.log file. It would also be a good idea to change your password, especially if you perform backups to external drives or cloud services where the log file could remain stored.
Image via Apple Support Communities