toggle

AAPL Stock: 126 ( -0.44 )

Printed from http://www.macnn.com

Apple update exposes Lion login passwords in clear text

updated 01:32 pm EDT, Mon May 7, 2012

Lion debug flag left in update causing major security risk

OS X 10.7.3 contains a debug flag which makes system passwords readable, checks show. Depending on the system configuration, people who update to v10.7.3 may have a widely-viewable debug log file containing passwords for all users accessing a system. The passwords are stored in plain text, making for a potentially serious security risk.

The affected update has been available for download since the start of February, but only shows passwords entered since it was applied to a system, not prior. People using FileVault 2 whole-disk encryption should be safe, but users of FileVault before Lion's release may be affected. Another point of entry is backups to external drives using Time Machine, since the backup files aren't encrypted.

Security researcher David Emery initially reported the vulnerability caused by programmer error to the Cryptome mailing list, noting, "One wonders why such a debug switch exists in shipped production code... clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident."

Apple has yet to release a patch fixing the vulnerability. [via ZDNet]




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Grendelmon

    Joined: Dec 1969

    +15

    Yikes

    if ( (MacOsProd.promoted) && (MacOSProd.debugOutput) ) {
    personalBelongings.packUpQuickly(myCubeStuff);
    prayFor.keepingJob(myJob);
    } else {
    // Q/A is doing it's job...
    }

  1. The Vicar

    Joined: Dec 1969

    +2

    Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

  1. donmontalvo

    Joined: Dec 1969

    +4

    Like for Yikes

    Ya, Apple sure is in need of a shakedown in the management oversight area.

    Don Montalvo, TX

  1. UmarOMC

    Joined: Dec 1969

    +3

    @Grendelmon

    GRENDELMON=i
    IF i THEN LOL

  1. testudo

    Joined: Dec 1969

    +2

    Re: Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    But does the system make it easy and obvious to encrypt the backup? I don't recall ever seeing a message or option for that.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

    What does this mean? You can encrypt Time capsule backups, there's just no way to make this happen? Basically "Well, it could be done, if you could tell the system to do it". Yeah, that's about as helpful as saying "Windows has an option to make it immune from viruses and malware. There's just no facility to enable it."

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

Prong PWR Case

Ultimately there's one thing we all want from smartphone accessories; we want options. When it comes to keeping our iPhone charged, w ...

iHome iBT74 Color Changing Bluetooth Speaker

There's no reason why your tech can't look good while doing what it was designed to do. That's the reason that sports cars look goo ...

Logitech Gaming Daedalus Prime Mouse

Logitech Gaming continues to expand upon its peripherals line, with each one looking to fit neatly into a breadth of gaming needs. Bui ...

toggle

Most Commented