Security researcher David Emery (via ZDNET) claimed to have discovered a bug in Mac OS X 10.7.3 that stores login passwords in plain text. In a recent newsletter, he claimed someone—we are guessing an Apple programmer— mistakenly “turned on a debug switch (DEBUGLOG)” that stores the passwords in a system-wide debug log file. Emery explained folders encrypted with Apple’s “legacy” Filevault prior to upgrading to Lion are at risk:
It would also allow them to access any content those usernames and passwords are meant to protect. Fortunately, the file with stored passwords is only kept for “several weeks” by default. However, it extends to Time Machine backups, because the log file is also backed-up in plain text. Emery said the best method to protect yourself until Apple fixes the issue is to simply use FileVault 2:
We expect Apple will get around to fixing this bug quickly as it picks up more press, but as ZDNET pointed out, the bug was raised in the Apple Support Communities three months ago with no replies. We will keep you updated when Apple responds.
- Passware: Filevault can be brute force cracked during the span of a lunchbreak (9to5mac.com)
