Mac FileVault passwords stored in clear text

Powered by SC Magazine

Flawed update contained debug logs that trap passwords.

Passwords for Apple Mac FileVault are being stored in the clear due to a borked OS X security update issued in February.

The security hole affected OS X Lion users under specific conditions and could allow passwords for the local encryption software to be harvested.

It occurred because the update 10.7.3 contained an accessible debugging facility that appeared to have been accidentally left open. The logs would detail clear text FileVault passwords for every user who logged in since the update was applied.

An attacker could bypass the OS X log-in screen and access the passwords by “booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file”, security researcher David Emery said.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery discovered the flaw and disclosed details on the Cryptome mailing list.

“... Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,” he said.

Apple has not responded to disclosure of the flaw.

Passwords were also accessible through a log contained within system backups created by Apple's Time Capsule software.

Users were only affected if they had used FileVault prior to upgrading to OS X Lion and applying the bad software update.

Emery said users could protect themselves from the firewire disk and recovery partition attacks by using the FileVault 2 whole disk encryption software. Users should also set a firmware password which would be required on boot.

Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.

“Carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open,” Emery said.

Copyright © SC Magazine, Australia

Mac FileVault passwords stored in clear text
Top Stories
How hard do you hack back?
[Blog post] Taking the offensive could have unintended consequences.
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
The big winners from Defence’s back-office IT refresh
Updated: The full list of subcontractors.
Sign up to receive iTnews email bulletins
Latest Comments
Which is the most prevalent cyber attack method your organisation faces?

   |   View results
Phishing and social engineering
Advanced persistent threats
Unpatched or unsupported software vulnerabilities
Denial of service attacks
Insider threats