Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3

by

filevault iconZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.

In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

The issue was noted last Friday by David Emery on the Cryptome mailing list.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.

The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.

Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.

Popular Stories

iOS 26 Battery Glass Feature

Apple Says Installing iOS 26 Might Impact Battery Life

Monday September 15, 2025 10:56 am PDT by
In the iOS 26 release notes, Apple is warning iPhone users that installing the new software might have a temporary impact on battery life, which is normal. A new support document explains that major iOS updates require background setup like indexing data and files for search, downloading new assets, and updating apps. Further, Apple says that new features could require more resources,...
Read Full Article122 comments
AirPods Pro Firmware Feature

AirPods Pro 2 and AirPods 4 Get iOS 26 Features With New Firmware Update

Monday September 15, 2025 10:50 am PDT by
Apple today released updated firmware for the AirPods Pro 2 and the AirPods 4, introducing support for the new AirPods features that are included in iOS 26, iPadOS 26, and macOS Tahoe. The firmware has a build number of 8A356, and it replaces the current 7E93 firmware. With Apple's new software updates, the AirPods Pro 2 and the AirPods 4 support better audio quality for phone calls and...
Read Full Article67 comments
iOS 26

iOS 26.1 to iOS 26.4: Here Are 5 New Features to Expect on Your iPhone

Tuesday September 16, 2025 11:17 am PDT by
iOS 26 was finally released on Monday, but the software train never stops, and the first developer beta of iOS 26.1 will likely be released soon. iOS 18.1 was an anomaly, as the first developer beta of that version was released in late July last year, to allow for early testing of Apple Intelligence features. The first betas of iOS 15.1, iOS 16.1, and iOS 17.1 were all released in the second ...
Read Full Article37 comments
iOS 26 on Three iPhones

iOS 26's Liquid Glass Design Draws Criticism From Users

Wednesday September 17, 2025 2:56 pm PDT by
It's been two days since iOS 26 was released, and Apple's new Liquid Glass design is even more divisive than expected. Any major design change can create controversy as people get used to the new look, but the MacRumors forums, Reddit, Apple Support Communities, and social media sites seem to feature more criticism than praise as people discuss the update. Complaints There are a long...
Read Full Article552 comments
Tim Cook Rainbow

Apple Reportedly Plans to Launch These 10 Products in 'Coming Months'

Sunday September 14, 2025 8:45 am PDT by
Apple's annual September event is now in the rearview mirror, with the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, iPhone Air, Apple Watch Series 11, Apple Watch Ultra 3, Apple Watch SE 3, and AirPods Pro 3 set to launch this Friday, September 19. As always, there is more to come. In his Power On newsletter today, Bloomberg's Mark Gurman said Apple plans to release many products in the...
Read Full Article83 comments
iOS 26 Glass Feature

iOS 26: The Top 100 New Features and Changes

Tuesday September 16, 2025 12:26 pm PDT by
Apple released iOS 26 on September 15, and it's now available for all iPhone users with a compatible device. There are a lot of changes and features to learn about, so if you want a quick, easy-to-read list that outlines what's new, we've got you covered. Design Liquid Glass design that reflects light and refracts what's underneath. It's system wide, with dynamic tab bars and toolbars...
Read Full Article37 comments
new iphone lockscreen ios 26

iOS 26: All the New iPhone Lock Screen Customizations

Tuesday September 16, 2025 5:56 am PDT by
Apple has now made iOS 26 available to download on compatible iPhone models, and if you just installed the new software, Apple has made some changes and feature additions to the iPhone Lock Screen that you may want to check out. To download iOS 26 on your iPhone, go to Settings ➝ General ➝ Software Update, then let your device check Apple's servers for the latest software. Wait for the...
Read Full Article46 comments

Top Rated Comments

loveturtle Avatar
loveturtle
174 months ago
What's the difference between FileVault and FileVault 2? I use 2, but are there any reasons someone would be unable to upgrade from the original to the new version?

If not, this seems like a non-issue.

This is not a non-issue. Don't be an apologist. There are legitimate reasons to use FileVault v1 over v2. v1 encrypts your home directory while v2 encrypts the whole filesystem. If you have untrusted users on the same computer (say shared with a family) v2 will give other users full access to your files while v1 will encrypt on a per home directory basis and another user will be unable to see your files.

Even if there were no legitimate reason to use v1 over v2 that is still no excuse. This is a serious oversight with serious consequences. Now these kind of things happen and the fact that it happened is not an insult to Apple. However, there is no excuse for it going unpatched for this long. There should have been a patch immediately after it was discovered. There is no excuse for that.
Score: 15 Votes (Like | Disagree)
Small White Car Avatar
Small White Car
175 months ago
I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.
Score: 13 Votes (Like | Disagree)
3282868 Avatar
3282868
174 months ago
This is one reason why I wish Apple would start hiring more engineers instead of shuffling them back and forth between iOS and OS X departments as they have since before the first iPhone launch in 2006 (Leopard was delayed twice to an October '06 release as engineers from OS X were shifted to iOS).

It's been stated Jobs hated hiring more, and kept a tight knit group of engineers. Perhaps more would help alleviate/diminish the odds of such programming flaws. Who knows. Either way, I'm sure it wouldn't hurt.

I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.
Agree. From what I gather, engineers are strained, being spread across iOS OS X departments. In part to unify the group but also in keeping with Jobs' desire for a small engineering base. It seems to be negatively effecting some aspects to their OS's.
Score: 11 Votes (Like | Disagree)
tigres Avatar
tigres
174 months ago
Apple will provide a fix for all of us @ the 10.8.3 juncture.;)
Score: 6 Votes (Like | Disagree)
HelveticaRoman Avatar
HelveticaRoman
174 months ago
If Apple were an airline, there's still a better than 80% chance you'd get to your destination safely.
Score: 4 Votes (Like | Disagree)
loveturtle Avatar
loveturtle
174 months ago
On point 1 above, if you use V2 you still cannot access another users files without root access. The system owner should set a root pw. If you set a root pw then others cannot get simple access to other users folders even if they're set as admin level. Although this has nothing to do with the security issues just revealed.

That's not true. Any admin user can spawn a root shell without the root password.

turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo su
vier turtle # whoami
root
vier turtle #

No password required other than the admin user password. That's not the point anyway, system passwords should not be logged in clear text period. Again, the fact that this happened isn't as big of a problem as the fact that it hasn't been patched yet.
Score: 4 Votes (Like | Disagree)
Read All Comments