X

Mac OS X login passwords put at risk

An apparent programming mistake in an update to the Apple operating system, tied to FileVault encryption tech, could expose passwords in clear text.

Jon Skillings Editorial director
Jon Skillings is an editorial director at CNET, where he's worked since 2000. A born browser of dictionaries, he honed his language skills as a US Army linguist (Polish and German) before diving into editing for tech publications -- including at PC Week and the IDG News Service -- back when the web was just getting under way, and even a little before. For CNET, he's written on topics from GPS, AI and 5G to James Bond, aircraft, astronauts, brass instruments and music streaming services.
Expertise AI, tech, language, grammar, writing, editing Credentials
  • 30 years experience at tech and consumer publications, print and online. Five years in the US Army as a translator (German and Polish).
Jon Skillings
2 min read

Last update: 1:20 p.m. PT

Users of the Lion version of Mac OS X will probably want to update their log-in passwords.

Security researcher David Emery warns of a new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He writes:

Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").

The log in question is kept by default for several weeks...

Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.

As Emil Protalinski points out at CNET sister site ZDNet, echoing Emery, this vulnerability is not to be taken lightly:

Anyone with administrator or root access can grab the user credentials for an encrypted home directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.

The breach could also affect Time Machine backups to external drives, Protalinski says.

And even after a patch becomes available, he writes, it could be hard to know for sure if the compromised log file has been expunged, meaning that an exposed password could still be discoverable -- adding to the urgency in changing the password.

We've reached out to Apple for comment and will update this story when we hear back.

Update 1:20 p.m. PT: Writing for CNET's MacFixIt blog, Topher Kessler offers details on how you can address the vulnerability on your Mac if you're someone still using the older legacy FileVault data encryption technology

Via ZDNet.

Mac OS X Lion (screenshots)

See all photos