October 28, 2016

OS X Lion FileVault Passwords Written to Debug Log in Plain Text

(LiveHacking.Com) – It has been discovered that the latest OS X Lion 10.7.3 update now logs the FileVault password in a system wide logfile readable by anyone with root or admin access. The problem is that the .3 update left a debugging option switched on which logs, in clear text, the FileVault passwords for every user who logged in since the update was applied.

According to David I. Emery who disclosed his find on the  the Cryptome mailing list, “the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.” The result is that an attacker could now break into an encrypted partitions without any prior knowledge of the passwords used.

“One wonders why such a debug switch exists in shipped production code… clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident,” he added. “Nobody breaks encryption by climbing the high walls in front … when the garden gate is open for millions of machines.”

ZDNet has found a post on the Apple Support Communities, where a user noticed the flaw three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted. This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well. Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?

Nobody got back to him.