Mac OS X log-in passwords put at risk

An apparent programming mistake in an update to the Apple operating system, tied to FileVault encryption tech, could expose passwords in clear text.

Security researcher David Emery warns of a new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He wrote:

Someone, for some unknown reason, turned on a debug switch (debuglog) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process' HomeDirMounter DIHLFVMount to log in *plain text* in a system-wide logfile readable by anyone with root or admin access the log-in password of the user of an encrypted home directory tree ("legacy Filevault").

The log in question is kept by default for several weeks ...Thus, anyone who can read files accessible to group admin can discover the log-in passwords of any users of legacy (pre-Lion) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.

As Emil Protalinski pointed out at ZDNet US, echoing Emery, this vulnerability is not to be taken lightly:

Anyone with administrator or root access can grab the user credentials for an encrypted home-directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.

The breach could also affect Time Machine backups to external drives, Protalinski said.

And even after a patch becomes available, he wrote, it could be hard to know for sure if the compromised log file has been expunged, meaning that an exposed password could still be discoverable — adding to the urgency in changing the password.

In the meantime, Topher Kessler has written up instructions on the MacFixIt blog on ZDNet Australia's sister site CNET, describing how the vulnerability can be addressed for users still using the older legacy FileVault data-encryption technology.


Add Your Comment


Be the first to comment on this story!

Post comment as

Sponsored Links

Recently Viewed Products