Apple programmer’s security blunder exposes OS X Lion login passwords in clear text

“An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system,” Emil Protalinski reports for ZDNet. “In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.”
Protalinski reports, “Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.”

“This flaw further shows Apple has a quality assurance problem. When it comes to encryption, it’s important to choose a secure algorithm, but implementation is even more important. A simple bug in how the keys are secured, managed, or accessed can lead to a massive unraveling, as we’ve seen here,” Protalinski reports. “Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s