First Malware, Now This? Apple's FileVault Exposes User Passwords
May 7, 2012

First Malware, Now This? Apple’s FileVault Exposes User Passwords

Michael Harper for

It's easy for the world to find your blemishes when every spotlight is fixed upon you. As Apple sells millions upon millions of iPads, iPhones and Macs, each problem can become glorified and magnified. For example, the news which broke last month about the FlashBack backdoor trojan which was affecting Macs worldwide, even in Cupertino: A significant problem, no doubt, but the story wouldn't have been nearly as attention grabbing had it been a Windows-exclusive trojan.

Thus, this week's slip up which is bound to receive its fair share of attention, a bug in FileVault which could potentially display a user's password in plain text where it should be encrypted. This bug only affects those using the latest version of Lion (10.7.3) with the older or legacy version of FileVault, and though this bug has been mentioned before on Apple's support forums, there has yet to be a fix released for this issue.

FileVault is the application used by Macs to encrypt their data, keep is safe from hackers, and even wipe the disks should the need arise.

As David I. Emery writes on Cryptome, someone in Apple's FileVault team accidentally turned on a debug switch (called DEBUGLOG) in the newest release of Lion which displays every login password for the Mac in Plain Text. Of course, with these passwords and login credentials, the Mac in question is then left completely open and vulnerable to an attack.

“This is worse than it seems,” writes Emery, “since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.”

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery suggests the easiest way for users to protect themselves is to update their version of FileVault to FileVault 2, as the bug in 10.7.3 doesn't affect this version. Additionally, FileVault 2 uses whole disk encryption, better safeguarding the Mac.

Those using Apple's TimeCapsule may be even more at risk, as an uncovered password could potentially unlock any data found within these backups, giving attackers access to any old information stored on the drive.

Those calling for Apple's attention to this matter may have to wait a while longer, as Apple notoriously takes their time until they have an exact answer and fix to these kinds of issues. These plain text passwords were first mentioned on Apple's Support Forums as early as February of this year, and haven't been discussed in the thread until Emery broke the news on Cryptome.

According to ZDNet, Emery has also said Apple's newest update to Lion (Mountain Lion or 10.7.4) won't fix the problem if there is a legacy FileVault partition being used. Apple plans to release 10.7.4 this summer.

As always, the best way to protect your Mac is to keep it fully up-to-date by running Software Update and having your applications check for new updates automatically.