1. Post #1
    Gold Member
    ASmellyOgre's Avatar
    June 2008
    4,495 Posts


    ArsTechnica.com posted:
    A security flaw in the most recent version of OS X Lion, 10.7.3, can allow anyone with access to system logs to gather passwords to decrypt legacy FileVault home directories or access remote home directories of networked users. Though the flaw was first discovered a whopping three months ago, it has been widely publicized after a security researcher posted details of the flaw to a cryptography mailing list on Friday.

    While only users with admin or root access could access the passwords stored as plain text in the log files, it's possible that malware could be created to look into the file for any passwords in order to access personal data.

    The security implications are even worse, though, according to security researcher David Emery. "The [system] log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file," he wrote to the cryptography e-mail list on Friday. "This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for."

    A process called "HomeDirMounter" is used by "authorizationhost" on OS X to mount remote home directories stored on a networked server, commonly in enterprise environments like offices or schools. This process accesses the remote directory and mounts it to a local computer as if it existed locally on the main boot volume. This same process mounts encrypted FileVault home directories created with earlier versions of OS X, which are stored in a separate, encrypted virtual volume (or sparse bundle).

    In OS X 10.7.3, HomeDirMounter logs information that appears to have been used for debugging during development of the 10.7.3 update. Among the information it stores in var/logs/secure.log is the password used to mount a home directory, in clear text, anytime a remote or FileVault home directory is mounted.

    Thankfully, passwords for standard local users aren't logged. However, users relying on the older FileVault could potentially have their encrypted data exposed to anyone with admin or root access to their machine.

    The same vulnerability puts network users at risk—any user with admin privileges could potentially access the secure.log file and grab passwords for other users on the network that have recently used the same machine.

    The flaw appears to have first been reported by a German systems administrator who posted about it to Apple's support forums in February. His post went unanswered until this weekend, however, when Emery's detail of the flaw was widely circulated.

    No one from Apple appears to have acknowledged the flaw as of yet, but Paul Hazelden, a system administrator working in an education environment, claims in a post on Novell's support forums that betas of the next version of OS X, 10.7.4, do not exhibit the password logging problem. (Hazelden's school uses a Novell authentication service called Kanaka, which is indirectly affected by the same password logging bug.) It's also worth noting that the flaw is not present in OS X 10.7.2.

    Until Apple releases the update to OS X, the only workaround appears to be running periodic scripts which purge the debug lines from secure.log. Alternately, local FileVault users can be protected somewhat from external hacks by using FileVault2, which encrypts the entire boot volume instead of just individual home directories.

    Apple did not respond to our request for comment on the matter.
    [source]

    Stay classy, Apple.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 55Informative Informative x 1Agree Agree x 1Winner Winner x 1 (list)

  2. Post #2
    Gold Member
    Murkrow's Avatar
    April 2005
    4,872 Posts
    "PasswordAsUTF8String"


    I'm sorry but this just screams THIS IS NOT VERY SMART AT ALL
    Reply With Quote Edit / Delete Reply Windows 7 Slovenia Show Events Funny Funny x 17Agree Agree x 4Informative Informative x 2 (list)

  3. Post #3
    Dennab
    February 2012
    2,299 Posts
    Wow, OSX sure is a secure and well built OS.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 54Funny Funny x 3Zing Zing x 1 (list)

  4. Post #4
    Gold Member
    squids_eye's Avatar
    July 2006
    5,765 Posts
    Oh wow, I would love to hear whoevers fault it is try to justify this somehow.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 12 (list)

  5. Post #5
    Dennab
    February 2012
    2,299 Posts
    Oh wow, I would love to hear whoevers fault it is try to justify this somehow.
    Its ~innovative~ and ~magical~ and ~revolutionizes~ the way we have our computers compromized.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Funny Funny x 49Zing Zing x 1 (list)

  6. Post #6
    Zet
    Gold Member
    Zet's Avatar
    February 2011
    2,487 Posts
    I guess Apple took security advice from Sony.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Zing Zing x 12Agree Agree x 6Dumb Dumb x 1Funny Funny x 1 (list)

  7. Post #7
    Gold Member
    VistaPOWA's Avatar
    October 2008
    8,370 Posts
    "It's not a huge fucking design flaw, it's a feature! Just think of all the revolutionary ways your data can be stolen!" -whoever programmed that piece of shit
    Reply With Quote Edit / Delete Reply Windows 7 Hungary Show Events Agree Agree x 17Late Late x 1 (list)

  8. Post #8
    Dennab
    May 2007
    1,218 Posts
    inb4 mass virus breakouts resulting in personal information being stolen.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 1 (list)

  9. Post #9
    Gold Member
    hexpunK's Avatar
    August 2008
    15,443 Posts
    I guess Apple took security advice from Sony.
    That was never proven as correct as was more than likely hyperbole created to make them look worse.

    But this is fucking atrocious no matter who is doing it, so don't even think about starting shit.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 3Dumb Dumb x 2 (list)

  10. Post #10
    haha oh boy here we go again
    Snowmew's Avatar
    November 2011
    549 Posts
    I don't understand how a professional programmer who probably gets paid very good money to program what he thinks is the world's best operating system could have possibly made a stupid choice like this.

    My first-ever PHP script (which was my first foray into real programming) stored password hashes, not plaintext passwords, because it's an inherently common-sense idea. Yes, encrypting passwords is slightly more complex than one-way hashing, but was it really so difficult that it couldn't be done in an operating system that is advertised as more secure than Windows?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 4Agree Agree x 2 (list)

  11. Post #11
    Gold Member
    Lick's Avatar
    April 2010
    2,611 Posts
    Secure.log is stored in plain text? Seems ironic
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2 (list)

  12. Post #12
    ...
    NateLB's Avatar
    March 2007
    3,672 Posts
    Fix this now for only $14.98!
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 9Dumb Dumb x 3Funny Funny x 2Late Late x 1 (list)

  13. Post #13
    Gold Member
    winsanity's Avatar
    April 2009
    1,806 Posts
    Don't worry they'll fix this with the release of OSX S.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 1 (list)

  14. Post #14
    ...
    NateLB's Avatar
    March 2007
    3,672 Posts
    Don't worry they'll fix this with the release of OSX S.
    Only $149.99!
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Disagree Disagree x 2Agree Agree x 2Dumb Dumb x 1 (list)

  15. Post #15
    Der Führer
    Quark:'s Avatar
    January 2011
    4,083 Posts
    secure passwords are just too mainstream
    Reply With Quote Edit / Delete Reply Windows XP Professional x64 United States Show Events Agree Agree x 4 (list)

  16. Post #16
    RISC MASTER RACE.
    MIPS's Avatar
    August 2010
    7,099 Posts
    Whoever says OS X has roots in Unix has not used OS X after 10.2. Even in Unix there is default encryption on the passwords.
    Reply With Quote Edit / Delete Reply Windows XP Canada Show Events Disagree Disagree x 1 (list)

  17. Post #17
    Gold Member
    ASmellyOgre's Avatar
    June 2008
    4,495 Posts
    Whoever says OS X has roots in Unix has not used OS X after 10.2. Even in Unix there is default encryption on the passwords.
    So does this. It's just that somebody who was likely just fired left a debugging tool in this which for some reason shows the files plain text. The very base of OSX is still Darwin.
    Reply With Quote Edit / Delete Reply Linux United States Show Events Agree Agree x 3 (list)

  18. Post #18
    I once worked at a sperm bank, the food was terrible
    The Baconator's Avatar
    April 2011
    9,165 Posts
    I don't get what Apple achieves with OSX being partially open source. What has it done?

    Edited:

    or whatever Darwin is supposed to be
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 1 (list)

  19. Post #19
    Gold Member
    PvtCupcakes's Avatar
    May 2008
    10,900 Posts
    I don't understand how a professional programmer who probably gets paid very good money to program what he thinks is the world's best operating system could have possibly made a stupid choice like this.

    My first-ever PHP script (which was my first foray into real programming) stored password hashes, not plaintext passwords, because it's an inherently common-sense idea. Yes, encrypting passwords is slightly more complex than one-way hashing, but was it really so difficult that it couldn't be done in an operating system that is advertised as more secure than Windows?
    It obviously wasn't intended to be in plain text.
    They left on a debug flag somewhere so it was stored in plain text, the intention was to be encrypted.

    It was just an issue of not thoroughly testing their shit.

    Edited:

    You should see the atrocious design Microsoft puts into Windows.
    Reply With Quote Edit / Delete Reply Linux United States Show Events Dumb Dumb x 5Agree Agree x 1 (list)

  20. Post #20
    Frog Member
    C0linSSX's Avatar
    February 2008
    2,567 Posts
    Welp fuck

  21. Post #21
    Gold Member
    Panda X's Avatar
    August 2006
    9,802 Posts
    I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 4Zing Zing x 1Friendly Friendly x 1Winner Winner x 1 (list)

  22. Post #22
    Gold Member
    Madman_Andre's Avatar
    November 2007
    7,239 Posts
    Store login passwords as plain text.

    How the fuck do you fuck up computer security this badly... ?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 2 (list)

  23. Post #23
    Dennab
    February 2012
    2,299 Posts
    Store login passwords as plain text.

    How the fuck do you fuck up computer security this badly... ?
    Be Sony.

  24. Post #24
    Glorious GNU/Linux Master Race
    kaukassus's Avatar
    May 2010
    5,456 Posts
    Store login passwords as plain text.

    How the fuck do you fuck up computer security this badly... ?
    See

    I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.

  25. Post #25
    Gold Member
    MachiniOs's Avatar
    September 2008
    12,354 Posts
    I love how everyone is this thread is blaming the whole of Apple and their products for something one idiot did by leaving a debug flag on. It's not like it was made to store passwords as a string by default.
    Apple must be blames for everything because they are an evil company and they killed all the chinese at Foxconn!
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Funny Funny x 1 (list)