Apple's latest Lion update stores passwords in cleartext [Update]

April was not a good month for Apple as Flashback infected over half a million OS X machines followed by a new Mac-specific Java vulnerability called SabPub a little later. Kaspersky Labs even stirred up user emotions after commenting that Apple’s security is “10 years behind Microsoft.”

Unfortunately for Apple, the hits keep on coming in May as security researcher David Emery has uncovered a setting within Lion 10.7.3 that tells the operating system to store user passwords in cleartext. It appears that a developer turned on a debugging flag to store this data, but forgot to turn it off before submitting the code for the OS update.

According to the article, a machine is vulnerable if it was using FileVault encryption prior to Lion then later upgraded to Lion. The vulnerability does not extend to FileVault 2.

While many may say that the risks are low since only users in the administrator group can access the file, this isn’t entirely true.  The article explains another risky proposition, especially for enterprises that rely on encrypting sensitive data on portable laptops.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.  

Even more interestingly is that this issue was apparently discovered back in February, right after the 10.7.3 upgrade. A user by the name of tarwinator posted this issue on Apple's support forums but nobody from the company even made a comment on the post.

Apple desktops are gaining market share and, as predicted, this means there will be more people looking to exploit the system for personal gain. So much for Apple’s security being leaps and bounds better than Microsoft.

UPDATE: After the story broke, the thread on Apple's site started to receive some traction. The most interesting post is from the original poster who notes that the bug may not have anything to do with FileVault or the upgrade process of Lion afterall.

I've just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Image Courtesy of Apple's Support forum

Report a problem with article
Previous Story

Cancelled Star Wars Battlefront 3 details revealed

Next Story

India blocks The Pirate Bay and Vimeo

44 Comments

Commenting is disabled on this article.

Come on apple fun boys, lets hear you making stupid statements and talking about other products on the article that has with facts, clearely named and shamed macos security. I see a rough year ahead, security companies and hackers are aware how bad security is wth apple and they will audit every memory address of every apple product.

Wonderful to find this out - we have a number of MBP in our organization and all but a few are at the C Suite level. Checking on our environment and testing this morning - The guys on the help desk and our security officer are loving this one Happy Monday!

Interesting to note that the original finder of this security hole has no commented that he doesn't think it has anything to do with FileVault and it can actually happen on a clean install of Lion.

Even more interestingly is that this issue was apparently discovered back in February, right after the 10.7.3 upgrade. A user by the name of tarwinator posted this issue on Apple's support forums but nobody from the company even made a comment on the post.

Considering OS X Lion v10.7.4 is in de works it could very well be that Apple is addressing the issue through that update. The company not officially responding to posts on their forums doesn't mean they're not aware of the issue.

.Neo said,

Considering OS X Lion v10.7.4 is in de works it could very well be that Apple is addressing the issue through that update. The company not officially responding to posts on their forums doesn't mean they're not aware of the issue.

3 months to fix such a gaping security issue? That's pretty bad!

VWW said,

3 months to fix such a gaping security issue? That's pretty bad!

Apple could definitely improve on their response time. I totally agree. I'm just saying, that Apple not posting on their forum doesn't mean they're not aware of the issue.

yowanvista said,
They should patent this awesome flaw!

Indeed, saving passwords in text format so everyone can get it will be the next patent by Apple!

yowanvista said,
They should patent this awesome flaw!

Unfortunately, there's a lot of prior art in the practice of using plaintext passwords.

Northgrove said,

Unfortunately, there's a lot of prior art in the practice of using plaintext passwords.

Don't be stupid, Apple invented this and will be granted a patent for it in 3...2...1...

vhaakmat said,
Hopefully this will finally put the fable to rest that Macs are More secure than PCs

Did you read the article? This doesn't actually affect machines that only run OS X Lion or later. Using your logic PCs aren't secure at all because many are still running heavily outdated Windows versions.

.Neo said,

Did you read the article? This doesn't actually affect machines that only run OS X Lion or later. Using your logic PCs aren't secure at all because many are still running heavily outdated Windows versions.

Can't remember people still running ME/98/95... At least I don't know any.

.Neo said,

Did you read the article? This doesn't actually affect machines that only run OS X Lion or later. Using your logic PCs aren't secure at all because many are still running heavily outdated Windows versions.

Actually, it appears that may be inaccurate and that it can occur on a clean install of Lion. Check the update.

.Neo said,

Did you read the article? This doesn't actually affect machines that only run OS X Lion or later. Using your logic PCs aren't secure at all because many are still running heavily outdated Windows versions.

I needed a good laugh this morning, thanks!

Parrot said,
I needed a good laugh this morning, thanks!

Isn't it great how we make each other laugh?

alwaysonacoffebreak said,
Can't remember people still running ME/98/95... At least I don't know any.

You're under the impression that the latest version is Windows XP?

.Neo said,

Isn't it great how we make each other laugh?


You're under the impression that the latest version is Windows XP?

XP is still being updated to 2014 and if you're smart enough (which it seems you're not) you'll get the updates to 2015. Something that is 10 years (or more) old doesn't mean it doesn't work. I got an Honda from 1996, should I just sell it for scraps because its old? Jesus. iFanboys.

E: Now ME/98/95 are outdated. XP on the otherhand is not.

alwaysonacoffebreak said,

XP is still being updated to 2014 and if you're smart enough (which it seems you're not) you'll get the updates to 2015. Something that is 10 years (or more) old doesn't mean it doesn't work. I got an Honda from 1996, should I just sell it for scraps because its old? Jesus. iFanboys.

E: Now ME/98/95 are outdated. XP on the otherhand is not.


XP is out of date, by quite a large margin. Though that is dependent on your definition of out of date.

Technology? Yes XP is out of date by quite a large margin.

Security? Yes XP is quite out of date.

Update? Yes and no. Yes XP will receive updates but it is in extended support which I think means it will only receive critical security fixes. Normal hotfixes that don't affect the security of XP (which is **** in general anyways) but patch a bug or two won't be released.

alwaysonacoffebreak said,

XP is still being updated to 2014 and if you're smart enough (which it seems you're not) you'll get the updates to 2015. Something that is 10 years (or more) old doesn't mean it doesn't work. I got an Honda from 1996, should I just sell it for scraps because its old? Jesus. iFanboys.

E: Now ME/98/95 are outdated. XP on the otherhand is not.


Apparently you lack the wits to read properly because nowhere did I say that Windows XP doesn't work. I know companies that still run the RTM, SP1 or SP2 versions of Windows XP which one could consider as being outdated. Both Windows Vista and 7 have improved security so arguably Windows XP is outdated by that measure as well.

SP1 and SP2? Well you need to tell those companies to upgrade to SP3. It's been out for enough time already. Where I work most of the PC's still use XP but also on XP3 and with paid anti-virus, extra firewalls etc, believe me, those XP's are more secured then your PC ever will be.

.Neo said,

Isn't it great how we make each other laugh?

Absolutely! In fact, I bet if we knew each other in real life, we'd look like a couple of old ladies arguing all the time about trivial things.

Reminds me of when lion was launched and it allowed anyone on ldap login to login with a wrong passed...
If I'm honest, mac stores the password in memory in cleartext for encryption, so it doesn't even hash it and use the hash or whatnot? LOL, right, okay, good encryption that...

kiddingguy said,
Looks like OSX can be compared to Windows with these incidents...
Hardly.. MS Hasn't stored passwords in plaintext since like 3.1.

Xerax said,
Hardly.. MS Hasn't stored passwords in plaintext since like 3.1.

As I understand this isn't OSX 'storing passwords in plaintext' but instead accidentally logging the password entered to a debug file.

This is also only for users of an old version of FileVault.

Stetson said,

As I understand this isn't OSX 'storing passwords in plaintext' but instead accidentally logging the password entered to a debug file.

This is also only for users of an old version of FileVault.


It's still having the passwords stored in plain text. Helpful support out there...