Mac OS X leaking passwords of FileVault users
Users of older Mac OS X versions who upgraded to the current Mac OS X 10.7.3, "Lion" and opted to stick with the older version of the FileVault encryption system, may have a problem. It appears that Apple developers enabled a debug option in 10.7.3 which makes the user's password appear, in clear text in a log file, whenever the user mounts the encrypted folder. The problem was identified by security expert David I. Emery who reported the issue on a security mailing list.
The problem appears to only affects users who upgraded from Snow Leopard to Lion and did not activate the new FileVault encryption on Lion which switches to encrypting the whole hard disk rather than just the user's home directory. New users and new installations of Mac OS X Lion are not believed to be exposed to this risk.
The log file that the clear text password is written to is maintained for several weeks and is only accessible by administrators. But the data in the log can be accessed if the system is in FireWire disk mode, working as a hard drive to another computer, or if a user uses the super-user shell from the recovery partition. Emery says that unencrypted Time Machine backups may also contain the unprotected passwords in backed-up log files; however, Time Machine does not backup the log file,
secure.log, so it is unclear why Emery suggests this.
The bug was originally spotted by a user named "tarwinator" on the Apple Support Communities forums in early February. His posting was not acknowledged or commented on by anyone until this past weekend. Tarwinator is currently investigating whether this issue is restricted to FileVault home directory mounting or if it affects network mounting of user home directories. A discussion on Novell forums from late April suggests that that may well be the case; the same discussion also notes that a beta of Mac OS X 10.7.4 does not suffer from the password leakage issue.
Setting a firmware password is not a complete protection; according to Emery, although the secondary password is needed before the system is booted or started in FireWire disk mode, Apple, at least, has a way to get around that requirement.
Users can check if they are exposed by the password leakage by selecting "Security & Privacy" in Preferences. If they are using the legacy FileVault, users will be prompted to either disable it or continue using it. Disabling it and then re-enabling it will activate the new version of FileVault with full disk encryption. Once these steps have been taken, users should change their password and consider deleting the