Security Hole Could Expose FileVault User’s Passwords

A coding error in OS X 10.7.3 Lion could leave user account passwords exposed and easily retrievable. The security issue involves a debug file that stores unencrypted login passwords, but only impacts users that had been using FileVault ahead of upgrading to Lion.

Debug error could leave FileVault user's account password exposed“Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process’s HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (‘legacy Filevault’),” David Emery said on the Cryptome blog. “Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.”

While enabling a debug feature that records account passwords as plain text is a serious security concern, it affects just a subset of Mac users. For those users, however, their account passwords are currently stored in a text file that can be viewed by tech savvy people with access to their Mac, or with access to their data backups, too.

Mac users vulnerable to the security flaw needed to be using Apple’s file-based FileVault data encryption feature prior to upgrading to Lion. Users that didn’t rely on FileVault prior to upgrading to Lion aren’t impacted.

The log file holding the unencrypted account password is stored for several weeks, and the flaw was introduced with the release of the OS X 10.7.3 update in February.

FileVault users aren’t completely without a way to protect themselves. “One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk,” Mr. Emery said.

For now, it appears that gaining access to the debug log file with passwords requires physical acces to a user’s Mac, although it’s possible that at some point hackers could try to build malware that looks for the specific debug file.

Apple can fix the issue with a software update, although that won’t remove the file from backups that have already been saved.

Apple hasn’t commented on the FileVault password issue.