OS X FileVault Flaw Emerges, Passwords at Risk

Mac owners who used FileVault encryption prior to upgrading to OS X Lion and kept their data encrypted using the old version of FileVault are affected by a security issue, experts warn.

Security researcher David Emery with DIE Consulting explains that, “Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").”

In plain English, if you haven’t fully upgraded to the new FileVault, your passwords can be retrieved by a third party with bad intentions.

Emery says the log is kept by default for several weeks, “thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.”

Other security experts say the circumstances that make this flaw exploitable are not easy to come by.

A lot of factors need to come into play before anyone can even attempt to retrieve your passwords using this method. However, that’s not to say the problem is minor.

In fact, “This is worse than it seems,” Emery continues, elaborating on the seriousness of the matter, “…since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file,” he adds.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for,” Emery explains.

Apple is yet to respond to this problem with a software update. Over at CNET's MacFixIt blog, Topher Kessler has a workaround for users looking to address the vulnerability.