toggle

AAPL Stock: 106.98 ( 0 )

Printed from http://www.macnn.com

Apple update exposes Lion login passwords in clear text

updated 01:32 pm EDT, Mon May 7, 2012

Lion debug flag left in update causing major security risk

OS X 10.7.3 contains a debug flag which makes system passwords readable, checks show. Depending on the system configuration, people who update to v10.7.3 may have a widely-viewable debug log file containing passwords for all users accessing a system. The passwords are stored in plain text, making for a potentially serious security risk.

The affected update has been available for download since the start of February, but only shows passwords entered since it was applied to a system, not prior. People using FileVault 2 whole-disk encryption should be safe, but users of FileVault before Lion's release may be affected. Another point of entry is backups to external drives using Time Machine, since the backup files aren't encrypted.

Security researcher David Emery initially reported the vulnerability caused by programmer error to the Cryptome mailing list, noting, "One wonders why such a debug switch exists in shipped production code... clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident."

Apple has yet to release a patch fixing the vulnerability. [via ZDNet]




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Grendelmon

    Joined: Dec 1969

    +15

    Yikes

    if ( (MacOsProd.promoted) && (MacOSProd.debugOutput) ) {
    personalBelongings.packUpQuickly(myCubeStuff);
    prayFor.keepingJob(myJob);
    } else {
    // Q/A is doing it's job...
    }

  1. The Vicar

    Joined: Dec 1969

    +2

    Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

  1. donmontalvo

    Joined: Dec 1969

    +4

    Like for Yikes

    Ya, Apple sure is in need of a shakedown in the management oversight area.

    Don Montalvo, TX

  1. UmarOMC

    Joined: Dec 1969

    +3

    @Grendelmon

    GRENDELMON=i
    IF i THEN LOL

  1. testudo

    Joined: Dec 1969

    +2

    Re: Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    But does the system make it easy and obvious to encrypt the backup? I don't recall ever seeing a message or option for that.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

    What does this mean? You can encrypt Time capsule backups, there's just no way to make this happen? Basically "Well, it could be done, if you could tell the system to do it". Yeah, that's about as helpful as saying "Windows has an option to make it immune from viruses and malware. There's just no facility to enable it."

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Tablo DVR

With over-the-top content options growing past Hulu and Netflix, consumers may be finding it harder to justify paying a monthly fee fo ...

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bring ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

toggle

Most Commented