Apple Security Blunder Exposes Lion Login Passwords In Clear Text

← Back to Stories (view on slashdot.org)

Apple Security Blunder Exposes Lion Login Passwords In Clear Text

Posted by samzenpus on Sunday May 6, 2012 @06:10AM from the whoops dept.

An anonymous reader writes "An Apple programmer, apparently by accident, left a debug flag open in the most recent version of its Mac OS X operating system. In specific configurations, applying the OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text."

16 of 205 comments (clear)

Min score:

Reason:

Sort:

Great by lemur3 · 2012-05-06 06:12 · Score: 5, Funny

now i can find out what my password is.
ive been resisting a reboot for ages!
1. Re:Great by beelsebob · 2012-05-06 07:33 · Score: 5, Informative
  
  Yes, because having a known md5 hash to transmit in plain text is much more secure than having a known password to submit in plain text.
  If you want to do this properly, you use SSL for login (and possibly more) or you implement a secure password exchange protocol (e.g. SRP).
2. Re:Great by icebraining · 2012-05-06 08:07 · Score: 5, Interesting
  
  You obviously have no fucking clue of what you're saying. If you hash the pass before sending, then what happens if someone sniffs the connection? They can just send the hash!
  The hash effectively becomes the password.
  So no, it doesn't increase security. But you know what does? Two-factor authentication. And do you know what big consumer oriented company start offering those first? I'll give you an hint.
  
  --
  Dilbert RSS feed
3. Re:Great by gutnor · 2012-05-06 09:19 · Score: 5, Informative
  
  The hash effectively becomes the password.
  Come on now, nobody simply hash the password: you timestamp it and salt it first then hash it. That is how it is done, and you know it. So yes the parent is incorrect, but saying that hashing is useless is misinformation. If you properly hash, a sniffer will be able to use the hash as a password only once. So that is a man in the middle, that sucks but it is not a complete pwnage as you suggest it is.
Do they have a build process? by msobkow · 2012-05-06 06:16 · Score: 5, Insightful

When I build a system for Linux distribution, I use scripts to configure the options on the build server. I don't use manually specified configurations from developer workstations.
Doesn't Apple grasp this concept of source code versioning and build management? Or was the debug flag in question hard-coded in the source rather than specified as a build option? If so, Apple needs to revisit it's coding structure and figure out how to set BUILD TIME options instead of hard coding them.

--
I do not fail; I succeed at finding out what does not work.
1. Re:Do they have a build process? by Kjella · 2012-05-06 07:11 · Score: 5, Informative
  
  Well I've seen many logging frameworks where debug logging and application logging was simply a different severity level, particularly since you may want crash/debug logs from users. All it takes is one sloppy developer that needed a log output, copy-pasted an application log line instead of a debug log line, because it's only temporary and you're going to take it out right? Both works for him. And then suddenly you end up with debug info in your production logs. I don't see why this would have to be a problem with their build process.
  
  --
  Live today, because you never know what tomorrow brings
2. Re:Do they have a build process? by icebraining · 2012-05-06 08:11 · Score: 5, Insightful
  
  There is no way you can protect yourself against careless developer.
  Of course there is. It's called "code review".
  
  --
  Dilbert RSS feed
Re:Really? by michelcolman · 2012-05-06 06:32 · Score: 5, Informative

Your login password also unlocks the encryption password for FileVault. The login passwords were apparently logged in a file outside of the encrypted image. (Only for the old pre-lion version of FileVault running under Lion)
We have QA processes which automatically detect by gcnaddict · 2012-05-06 06:50 · Score: 5, Insightful

things such as debug logs during testing.

Does Apple have no such thing? This leads me to think that Apple either has no development lifecycle or, in case they have one, only half-heartedly obey it.

--
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Re:I wonder what the comment said... by Mr.+Underbridge · 2012-05-06 06:56 · Score: 5, Funny

//REMEMBER TO COMMENT THIS SHIT OUT SO I DONT GET FIRED
Filter error: Don't use so many caps. It's like YELLING....
Re:malware by IamTheRealMike · 2012-05-06 07:02 · Score: 5, Funny

Oh yes, you're right. It sounds like it only impacts people who actually want / need security. So that's OK then.
Re:malware by Smurf · 2012-05-06 07:15 · Score: 5, Informative

Oh yes, you're right. It sounds like it only impacts people who actually want / need security. So that's OK then.
No, because the people who actually want/need security would have already turned off the legacy FileVault (i.e., the one that only encrypts the user's home directory leaving the system directory where the log file in question is located unprotected) and turned on the new FileVault which encrypts the whole disk, including all system directories. That was one of the few really compelling features of Lion.
BTW, this is a Mac OS X 10.7.3-specific issue. It does not affect users of pre-Lion systems which only have the legacy FileVault option.
Re:lucky for me... by Sancho · 2012-05-06 07:18 · Score: 5, Interesting

Some "strange" reason?
How about you've got multiple users on the machine? With Filevault2, any user can unlock the whole disk. As much as I like macs, it's a complete joke. With Filevault1, you had homedir encryption on a per-user basis. My files were secure from other users of the machine.
Typical Apple by toadlife · 2012-05-06 07:35 · Score: 5, Funny

Copying features from Microsoft products again.

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Just a bug by lucm · 2012-05-06 09:47 · Score: 5, Insightful

Somehow I have a feeling that if this same kind of "bug" had been found in another operating system, such as one coming from Redmond, the discussion and media coverage would have been quite different, and there would have been much more Slashdot comments on this story.
We are talking about passwords stored in clear text, no fix yet, and based on the article, no assurance that the fix would remove copies of the unencrypted passwords. For a company that was wondering how to spend 100 billions. What a joke.

--
lucm, indeed.
timestamp it and salt it and then hash it? by YesIAmAScript · 2012-05-06 11:45 · Score: 5, Insightful

First, if you timestamp it, you don't need to salt it. The password would effectively have a lifetime of minutes at best, so adding a salt doesn't improve anything.
Second, your idea ruins the whole point of using a trapdoor function (what the internet means by "hash"). The point of the trapdoor function is that the server doesn't have to have your password stored on it, because you can just verify the password presented by comparing a hashed form of the presented password to the hash you have stored.
But with a time+password hashing scheme, the server must know the user's password because each time the user logs in, the must construct a new hash from the password and the current time.
So, if your server is going to know the password, just use a shared secret system like SRP. Then you get two-way mutual authentication too.

--
http://lkml.org/lkml/2005/8/20/95