Mac OS X FileVault exposes login password in plain text

Apple's recent update served a vulnerability to it's users, an apparent programming mistake, tied to FileVault encryption tech, could expose passwords in clear text.

Fortunately very few people will be affected To be hit by the problem, you'll need to have used FileVault encryption prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault. If you did, the OS X 10.7.3 update will have turned on a a debug log file outside of the encrypted area of the OS, which will be storing user passwords in plain text.

Security researcher David Emery warns of a new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He writes:

Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide log file readable by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").

The log in question is kept by default for several weeks...

Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.

Apple haven't released any patch, which can fix the vulnerability yet. It is interesting to see how Mac has been a top target to hackers and fishers all around the world. There has been more vulnerabilities and as Apple swarm grows - there will be tremendous amount of virus, malware and other potentially dangerous vulnerabilities floating around the internet (Just as Windows is facing a huge bunch of unsocial elements). Recently Mac users was hit by a Trojan virus - which targeted 650,000 Mac computers.