A recently discovered security flaw in OS X Lion causes users’ login passwords to be stored in unencrypted plain text files. The files are accessible to anyone with the computer’s admin password. What’s more, with a little effort, someone who doesn’t know the admin password can get at the files as well, with a little extra effort.
This flaw was discovered late last week by David Emery, who posted about it on Cryptome.org. It seems that in the latest release of OS X Lion a debug switch was turned on and never turned off. This caused the system to create a plain text file with the login passwords for all users who used FileVault to encrypt their home directories.
The password data can be read by anyone with access to the administrator password for the computer. What’s more, it can also be accessed by anyone at all if they either boot to a firewire disk or boot from the OS X Lion recovery partition and access the main file system.
Fortunately, this doesn’t affect all Lion users. It only affects those who used an older version of FileVault to encrypt their home directory, then upgraded to Lion and maintained the older encrypted directory. Those who use FileVault 2 – bundled with Lion – are safe. FileVault 2 encrypts the entire disk, meaning that the file system can only be accessed by someone who knows at least one user password.
This is a potentially significant problem for business users, who often rely on FileVault to protect sensitive data. Exploiting this flaw could allow that data to be compromised. What’s more, as ZDNet points out, this also applies to Time Machine backups. A stolen backup drive would include the plain text file with the password, as well as the encrypted backups, thereby defeating the purpose of encrypted backups.
Emery speculates that the debug switch was left on by accident when the Lion 10.7.3 released in February. No subsequent updates have addressed the problem, though. I reached out to Apple to ask what their recommended course of action was, and whether a future update of Lion would address the issue, but have not yet received a response.
This isn’t the first time Apple has made a mistake like this in the release of a software update. Back in December they released an updated build of iOS 5.0.1 that left the iPhone’s main file system completely unencrypted. This cleared the way for legal ports of the iPhone 4S’s Siri to be created for jailbroken iOS devices other than the 4S. Several such ports appeared in the Cydia store in short order.
This bug, however, is a bit more problematic. You can probably expect an update to Lion fairly soon that deals with the issue.