Apple programmer’s security blunder exposes OS X Lion login passwords in clear text

“An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system,” Emil Protalinski reports for ZDNet. “In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.”

Protalinski reports, “Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.”

“This flaw further shows Apple has a quality assurance problem. When it comes to encryption, it’s important to choose a secure algorithm, but implementation is even more important. A simple bug in how the keys are secured, managed, or accessed can lead to a massive unraveling, as we’ve seen here,” Protalinski reports. “Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.”

Much more in the full article here.

MacDailyNews Take: WWSD?

[Thanks to MacDailyNews Reader “SteveF” for the heads up.]

36 Comments

  1. I have posted here for years that Apple has been shipping Beta software – this is but another example. While I understand the company has expanded at a phenomenal rate and run very lean- this kind of shit is unacceptable.
    Apple needs to pull some resources back to OS X from iOS and the ruination of OS X by making it more iOS like and patch up some security holes. This is not the only one.

    1. BS. I take it your standard of not-Beta software is absolute perfection, which does not exist. Human beings are not perfect, no matter who they work for or which platform they are on. Not until software is written by machines themselves will it approach anything close to perfect.

      Unlike “Mr. unless it’s perfect it’s useless”, I am very happy with Apple’s software engineers. So what if an engineer made a mistake on the last release? Until widespread damage is proven to have taken place, your hysterical reaction it off base.

      1. Apples fanatical obsession with secrecy limits the auditing and testing prior to launch. Combine that with the fact that Apple is now obsessed with iOS the MAc is being treated like a red headed stepchild.

        1. I have to agree. I love IOS, I like Lion in general, but all who do not see that the quality of the OS is not yet again a step up from its predecessor should look again. Let’s hope Mountain Lion will be for Lion what SL was for Leopard, but just like then is OS (as in OSX) stability and not in like more features that turn it into an iPad with a keyboard!

          Microsoft is going the wrong way in that is want W8 to be a JOAT, Apple chose to do two OS’s, let’s hope they will follow through on that promise!

          The programmers error is an error that can happen to the best, maybe it illustrates what pap is saying, but it seems an honest mistake….

    1. Really, that is what you think is appropriate? Pretty simple mistake to make. Your professional life is perfect in every way? No mistakes ever?

      How about his boss or direct supervisor, fire them too? How about the quality assurance team? Gone?

      I hope you are not in a leadership position somewhere. This is a process improvement moment, a teachable moment, a reprimand moment, but a firing moment, for the programmer at the bottom? I don’t think so..

  2. At first glance, this seemed like an “Oh-My-God!” kind of disaster. But reading the article, this apparently only affects people who use a old version of File Vault that isn’t even supported by the new OS.

    And since most average users don’t use File Vault (or probably know what it is), this is a non-issue about a non-issue.

    And THIS is what’s got all the anti-Apple boys at ZDNet up in arms? Oh, please…

    1. yeah I started reading the article thinking apple is going to have a media headache..

      Then I saw the small number of people that would be affected.

      Still an apple problem, but not as wide spread as the headline suggests.

  3. Given its recent record of product problems, Apple appears to have a “quality control” problem in general. Does Apple actually real-world test products from design to production before release? We love you Apple, but please give us design and function, not design at the expense of function!

    1. This kind of thing could have easily happened even while Steve Jobs was around. Steve didn’t go through lines of code checking for stuff like this. This is a small problem that affects a very very small number of people (those still using the old version of FileVault). What will happen now is the same thing that would have happened when Steve was around, it will get fixed and possibly some one will get fired.

      1. Note however that a person still needs administrative or root access to be able to view the file. That would apply to Time Machine backups as well, so very few people would be able to see the passwords.

        Still a significant “oops” which simply cannot occur when dealing with encryption and security. What if something had been left in which rendered it impossible to open any files secured by FileVault after encrypted? Or if Time Machine backups scrambled the password such that you could never restore anything?

        Apple does need to tighten up its QC on software. There have been significant bugs in OS X, but also in apps like iTunes, iPhoto, etc. which have been significant. The kinds of bugs which longtime Mac users aren’t used to seeing and which we shouldn’t see.

        1. I guess you’ve forgotten all the years that preceded Mac OS X (let’s say 10.6.8, shall we? 🙂 Mac OS 9 wasn’t anyone’s shining example of a bug-free OS!!! When was last time Lion kernel panicked on you? (Now I do totally agree that users shouldn’t see bugs — but don’t you react with surprise when one of the apps you mentioned crashes? Everything *old* seems to be getting more and more stable as the bedrock gets more stable).

  4. This would only apply to extremely advanced users… 99% of users probably arent even aware of FileVault… Trolling for news…

    And yes… It would have equated to “former apple developers blunder”..

    1. Also most of those advanced users also wouldn’t be affected as they would have updated to the newest version of FileVault as advanced users tend to do.

  5. All you blowing gaskets think about two classes of people in this workforce: The programmer who made the mistake and the programmer who would replace said programmer. Who do you think is LESS likely to ever make such a mistake again? If you keep replacing *seasoned* workers with unseasoned ones, accidents like this keep happening. As the billboard says: “Experience is gained by making mistakes; mistakes occur because of lack of experience.”

  6. it may only be 1%, but what if that 1% are all Fortune 500 companies, with very sensitive data to protect. That is a big deal, to them and their potential enemies.
    It goes without saying that Filevault users will have sensitive data to protect and would be very pissed if this error allowed in a hacker from the competition.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.