Apple’s latest Lion update exposes user passwords

Oops: with the latest security update to Lion, Mac OS X 10.7.3, Apple has mistakenly turned on a debug option that leaves users’ passwords accessible.

With the debug option enabled in FileVault, passwords are saved in plain text in a log file outside the encrypted area, meaning that anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk.

While FileVault 2 – which encrypts the entire content of the hard drive – is fine, the bug affects anyone who upgraded to Lion but carried on using the older version of FileVault.

With Mac OS X version 10.7.3 released at the beginning of February, this means that more than two months’ data could be open for all to see.

The flaw was reported on Friday by security researcher David Emery, who says that it’s even worse than it seems.

“The log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file,” he says.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

It’s possible to disable FileVault and turn on FileVault 2, after which a change of password should restore security – as long as the original password has been completely erased.

“This proves a very important point when it comes to encryption. While choosing a secure algorithm is important, it’s rarely the most important factor. How products store, manage and secure keys and passwords is the most common failure point in assuring data protection,” says Chester Wisniewski of security firm Sophos.

“This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn’t mean anything if it chooses to store your password in an accessible log file.”