According to technology website ZDNet, Apple programmers “left a debug flag in the most recent version of the Mac OS X operating system” update that has left passwords in clear text.
“In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied,” ZDNet said.
“The passwords are stored in clear text.”
The vulnerability is limited to Mac owners who used FileVault encryption prior to upgrading to Lion, and failed to remove folders encrypted via the legacy version of FileVault.
First noticed by security researcher David Emery, the blunder is “worse than it seems”.
“Since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for,” Emery said.
The update, which been available since February, could prove fatal for businesses that have run FileVault for long periods according to ZDNet.
“If an employee has their Mac stolen, however, anything they encrypted, as well as anything that requires those credentials, can be accessed without hindrance if the vulnerable configuration is in place.”
“This also affects Time Machine backups to external drives. If your hard drive is stolen, it doesn’t matter that the backups require a key to read. The backed-up log file contains the required password stored in clear text. This means your compromised password has been backed up for the long term.”