OSX Stores Filevault And Network User Passwords In Plain Text (Known For Past 3 Months) - Polidicks

[img]http://static.arstechnica.net/2012/05/07/password_log-4fa7ff4-intro.png[/img] [quote=ArsTechnica.com]A security flaw in the most recent version of OS X Lion, 10.7.3, can allow anyone with access to system logs to gather passwords to decrypt legacy FileVault home directories or access remote home directories of networked users. Though the flaw was first discovered a whopping three months ago, it has been widely publicized after a security researcher posted details of the flaw to a cryptography mailing list on Friday. While only users with admin or root access could access the passwords stored as plain text in the log files, it's possible that malware could be created to look into the file for any passwords in order to access personal data. The security implications are even worse, though, according to security researcher David Emery. "The [system] log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file," he wrote to the cryptography e-mail list on Friday. "This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for." A process called "HomeDirMounter" is used by "authorizationhost" on OS X to mount remote home directories stored on a networked server, commonly in enterprise environments like offices or schools. This process accesses the remote directory and mounts it to a local computer as if it existed locally on the main boot volume. This same process mounts encrypted FileVault home directories created with earlier versions of OS X, which are stored in a separate, encrypted virtual volume (or sparse bundle). In OS X 10.7.3, HomeDirMounter logs information that appears to have been used for debugging during development of the 10.7.3 update. Among the information it stores in var/logs/secure.log is the password used to mount a home directory, in clear text, anytime a remote or FileVault home directory is mounted. Thankfully, passwords for standard local users aren't logged. However, users relying on the older FileVault could potentially have their encrypted data exposed to anyone with admin or root access to their machine. The same vulnerability puts network users at risk—any user with admin privileges could potentially access the secure.log file and grab passwords for other users on the network that have recently used the same machine. The flaw appears to have first been reported by a German systems administrator who posted about it to Apple's support forums in February. His post went unanswered until this weekend, however, when Emery's detail of the flaw was widely circulated. No one from Apple appears to have acknowledged the flaw as of yet, but Paul Hazelden, a system administrator working in an education environment, claims in a post on Novell's support forums that betas of the next version of OS X, 10.7.4, do not exhibit the password logging problem. (Hazelden's school uses a Novell authentication service called Kanaka, which is indirectly affected by the same password logging bug.) It's also worth noting that the flaw is not present in OS X 10.7.2. Until Apple releases the update to OS X, the only workaround appears to be running periodic scripts which purge the debug lines from secure.log. Alternately, local FileVault users can be protected somewhat from external hacks by using FileVault2, which encrypts the entire boot volume instead of just individual home directories. Apple did not respond to our request for comment on the matter.[/quote] [url=http://arstechnica.com/apple/news/2012/05/debug-code-in-os-x-1073-exposes-passwords-for-legacy-filevault-network-users.ars][source][/url] Stay classy, Apple.

"PasswordAsUTF8String" I'm sorry but this just screams THIS IS NOT VERY SMART AT ALL

Wow, OSX sure is a secure and well built OS.

Oh wow, I would love to hear whoevers fault it is try to justify this somehow.

[QUOTE=squids_eye;35865430]Oh wow, I would love to hear whoevers fault it is try to justify this somehow.[/QUOTE] Its ~innovative~ and ~magical~ and ~revolutionizes~ the way we have our computers compromized.

I guess Apple took security advice from Sony.

"It's not a huge fucking design flaw, it's a feature! Just think of all the revolutionary ways your data can be stolen!" -whoever programmed that piece of shit

inb4 mass virus breakouts resulting in personal information being stolen.

[QUOTE=Zet;35865622]I guess Apple took security advice from Sony.[/QUOTE] That was never proven as correct as was more than likely hyperbole created to make them look worse. But this is fucking atrocious no matter who is doing it, so don't even think about starting shit.

I don't understand how a professional programmer who probably gets paid very good money to program what he thinks is the world's best operating system could have possibly made a stupid choice like this. My first-ever PHP script (which was my first foray into real programming) stored password hashes, not plaintext passwords, because it's [I]an inherently common-sense idea[/I]. Yes, encrypting passwords is [I]slightly[/I] more complex than one-way hashing, but was it really so difficult that it couldn't be done in an operating system that is advertised as more secure than Windows?

Secure.log is stored in plain text? Seems ironic

Fix this now for only $14.98!

Don't worry they'll fix this with the release of OSX S.

[QUOTE=winsanity;35867896]Don't worry they'll fix this with the release of OSX S.[/QUOTE] Only $149.99!

secure passwords are just too mainstream :rolleyes:

Whoever says OS X has roots in Unix has not used OS X after 10.2. Even in Unix there is default encryption on the passwords.

[QUOTE=MIPS;35868944]Whoever says OS X has roots in Unix has not used OS X after 10.2. Even in Unix there is default encryption on the passwords.[/QUOTE] So does this. It's just that somebody who was likely just fired left a debugging tool in this which for some reason shows the files plain text. The very base of OSX is still Darwin.

I don't get what Apple achieves with OSX being partially open source. What has it done? [editline]7th May 2012[/editline] or whatever Darwin is supposed to be

[QUOTE=Snowmew;35867583]I don't understand how a professional programmer who probably gets paid very good money to program what he thinks is the world's best operating system could have possibly made a stupid choice like this. My first-ever PHP script (which was my first foray into real programming) stored password hashes, not plaintext passwords, because it's [I]an inherently common-sense idea[/I]. Yes, encrypting passwords is [I]slightly[/I] more complex than one-way hashing, but was it really so difficult that it couldn't be done in an operating system that is advertised as more secure than Windows?[/QUOTE] It obviously wasn't intended to be in plain text. They left on a debug flag somewhere so it was stored in plain text, the intention was to be encrypted. It was just an issue of not thoroughly testing their shit. [editline]7th May 2012[/editline] You should see the atrocious design Microsoft puts into Windows.

Welp fuck

I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.

Store login passwords as plain text. How the fuck do you fuck up computer security this badly... ?

[QUOTE=Madman_Andre;35870746]Store login passwords as plain text. How the fuck do you fuck up computer security this badly... ?[/QUOTE] Be Sony.

[QUOTE=Madman_Andre;35870746]Store login passwords as plain text. How the fuck do you fuck up computer security this badly... ?[/QUOTE] See [QUOTE=Panda X;35870102]I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.[/QUOTE]

[QUOTE=Panda X;35870102]I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.[/QUOTE] Apple must be blames for everything because they are an evil company and they killed all the chinese at Foxconn!