Mac OS X Lion Update Exposes Clear-Text Passwords

By Lisa Vaas  |  Posted 2012-05-07 Print this article Print

Even if it's patched soon, Mac users should be aware that original, plain-text passwords might be retrievable from Time Capsule backups.

Apple's latest security update to OS X Lion, 10.7.3, was shipped with the debugging switch left on, leaving passwords open in plain text in a folder that had previously been encrypted with the first version of the company's FileVault encryption.

David I. Emery, owner of DIE Consulting, disclosed the flaw on the Cryptome encryption mailing list on Saturday, May 5.

Apple released the buggy update in February.

Emery reports that the debug switch (DEBUGLOG) seems to have been left on inadvertently. The security hole causes log-in passwords for the encrypted home directory tree (legacy FileVault) to be left readable, in a systemwide log file, by any user with root or administrative access.

That log is kept, by default, for several weeks, Emery wrote. That means that anybody who can read files available to group administration can discover the log-in for any user of pre-Lion FileVault home directories who has logged in since the February upgrade.

What makes this one so bad is that the log, and thus encrypted partitions, can be read by intruders who don't have a log-in password. It's done by booting the machine into FireWire disk mode, which allows the log and partitions to be read by opening the drive as a disk or by booting the recovery partition that was introduced in Lion. An intruder then uses the available super-user shell to mount the main file system partition, Emery says.

It gets worse.

Emery theorized that Apple's Time Capsule backup tool may have backups encrypted with the password available in plain text.

"For those who use Apple's easy backup tools ('Time Capsule'), it was possible to assume that those tools only wrote copies of the sparsebundle encrypted container for a FileVault legacy home directory to the backup media, meaning that an unencrypted backup would still provide protection for the contained encrypted home directories," Emery wrote. "But with the password required to decrypt the sparebundles stored in the clear on the (unencrypted) backup, that assumption is no longer true."

Emery said that users can partially protect themselves from attack by using FileVault 2, which offers whole-disk encryption. Such encryption requires that users know at least one user log-in password before they are given access to files on the disk's main partition.

Further, weaker protection can be had by setting a firmware password, which would be required before a user can boot the recovery partition or external media or enter FireWire disk mode, he says. However, there's a technique to turn this off, known to Apple field support.

Chester Wisniewski, a senior security advisor for Sophos, wrote that this security snafu proves an important point about encryption: Secure algorithms are important, but that's "rarely the most important factor."

"How products store, manage and secure keys and passwords is the most common failure point in assuring data protection," Wisniewski wrote in Sophos' Naked Security blog. "This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES [Advanced Encryption Standard] encryption doesn't mean anything if it chooses to store your password in an accessible log file."

Of course, the possibility that the plain-text password has been backed up means that it's going to be tough to ensure that both it and the original plain-text password are securely erased, he said, even after the fix comes out.

Thus, Wisniewski advises Mac users to consider changing passwords, and then to refrain from using those passwords on any other systems, even after applying the patch.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel