toggle

AAPL Stock: 97.67 ( + 0.64 )

Printed from http://www.macnn.com

Apple update exposes Lion login passwords in clear text

updated 01:32 pm EDT, Mon May 7, 2012

Lion debug flag left in update causing major security risk

OS X 10.7.3 contains a debug flag which makes system passwords readable, checks show. Depending on the system configuration, people who update to v10.7.3 may have a widely-viewable debug log file containing passwords for all users accessing a system. The passwords are stored in plain text, making for a potentially serious security risk.

The affected update has been available for download since the start of February, but only shows passwords entered since it was applied to a system, not prior. People using FileVault 2 whole-disk encryption should be safe, but users of FileVault before Lion's release may be affected. Another point of entry is backups to external drives using Time Machine, since the backup files aren't encrypted.

Security researcher David Emery initially reported the vulnerability caused by programmer error to the Cryptome mailing list, noting, "One wonders why such a debug switch exists in shipped production code... clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident."

Apple has yet to release a patch fixing the vulnerability. [via ZDNet]




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Grendelmon

    Joined: Dec 1969

    +15

    Yikes

    if ( (MacOsProd.promoted) && (MacOSProd.debugOutput) ) {
    personalBelongings.packUpQuickly(myCubeStuff);
    prayFor.keepingJob(myJob);
    } else {
    // Q/A is doing it's job...
    }

  1. The Vicar

    Joined: Dec 1969

    +2

    Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

  1. donmontalvo

    Joined: Dec 1969

    +4

    Like for Yikes

    Ya, Apple sure is in need of a shakedown in the management oversight area.

    Don Montalvo, TX

  1. UmarOMC

    Joined: Dec 1969

    +3

    @Grendelmon

    GRENDELMON=i
    IF i THEN LOL

  1. testudo

    Joined: Dec 1969

    +2

    Re: Not quite accurate

    It is possible to encrypt an external drive used for Time Machine backup; the system provides this capability.

    But does the system make it easy and obvious to encrypt the backup? I don't recall ever seeing a message or option for that.

    The system does NOT provide a facility to encrypt a backup to a Time Capsule (or other network storage), but it is possible to force Time Capsule backups to be encrypted. (There's just no facility to make this happen built into the system.)

    What does this mean? You can encrypt Time capsule backups, there's just no way to make this happen? Basically "Well, it could be done, if you could tell the system to do it". Yeah, that's about as helpful as saying "Windows has an option to make it immune from viruses and malware. There's just no facility to enable it."

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

JBL Synchros E40BT headphones

For all the different configurations of headphones on the market, it's always a tough choice for buyers to get something that is just ...

Razer Taipan mouse

The list of gaming devices is growing larger with each passing day. A large number of companies have entered the gaming input arena, a ...

Cambridge Audio DacMagic XS

Every computer with a microphone or headphone port has one -- a digital to analog converter (DAC). There are nearly as many chipsets a ...

toggle

Most Commented