RegisterFAQSearchLogin

View unanswered posts | View active topics It is currently Mon Jun 09, 2025 8:32 am


Board index » Tech Support

All times are UTC




Reply to topic  Page 1 of 1
  [ 1 post ] 
Print view Previous topic | Next topic 
Clear Password bug... 
Author Message
big_D
What's a life?
User avatar

Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
Reply with quote
Post Clear Password bug...
http://www.zdnet.com/blog/security/appl ... text/11963

It seems an Apple Dev left a debug option switched on, which stores passwords in Lion 10.7.3 in the clear - for machines upgraded from Snow Leopard at least.

The problem was logged on the official Apple Support forums about 3 months ago, but so far Apple haven't addressed the problem.
Quote:
In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.


Quote:
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.


Quote:
Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.


Probably not a major problem for single-user Mac owners who don't take their Macs with them, but could be a problem in companies or families, where people share devices or if a device is stolen.

Edit: This also affects TimeMachine backups - even though they would normally require a password for the encrypted files, the clear text password is stored in the TM log file!

_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari

Executive Producer No Agenda Show 246
Mon May 07, 2012 6:18 am
Profile ICQ
Display posts from previous:  Sort by  
Reply to topic   Page 1 of 1
  [ 1 post ] 

Board index » Tech Support

All times are UTC


Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.