updated 01:32 pm EDT, Mon May 7, 2012
Lion debug flag left in update causing major security risk
OS X 10.7.3 contains a debug flag which makes system passwords readable, checks show. Depending on the system configuration, people who update to v10.7.3 may have a widely-viewable debug log file containing passwords for all users accessing a system. The passwords are stored in plain text, making for a potentially serious security risk.
The affected update has been available for download since the start of February, but only shows passwords entered since it was applied to a system, not prior. People using FileVault 2 whole-disk encryption should be safe, but users of FileVault before Lion's release may be affected. Another point of entry is backups to external drives using Time Machine, since the backup files aren't encrypted.
Security researcher David Emery initially reported the vulnerability caused by programmer error to the Cryptome mailing list, noting, "One wonders why such a debug switch exists in shipped production code... clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident."
Apple has yet to release a patch fixing the vulnerability. [via ZDNet]