back to article Apple logging passwords in plain text

A post to Cryptome is pointing the finger at Apple for logging plain-text passwords of users of “legacy” Filevault under Lion 10.7.3. According to David Emery, the February update of Lion turned on a debug switch which, as a result, logs in plain text the password of a user of an encrypted directory tree. “Thus anyone who can …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    This is clearly a bug in the migration process but "Legacy" Filevault never felt very safe to start with, since it only encrypted home directories.

    Anyone seriously concerned with security would have been using the commercial PGP Whole Disk, or the new Filevault 2 that came with OSX Lion, both of which offer much better whole disk encryption.

    ps: before Microsoft fans get overly smug over this let me just say two words: "bitlocker vista"

    1. Adam 1
      Stop

      More than just a "legacy"

      OK, I will bite, apart from the wider question of why you would pay for a more expensive version of Windows when truecrypt does the same thing for free, what was specifically wrong with Bitlocker on Vista?

      But I think you are missing the point of this problem. The problem is that user's just use the same password everywhere. Sure what's in some crude legacy filevault may not be an issue, but it may be the same password as their email, phone or bank account.

      Not only should the password be hashed, but that hash should be salted to avoid rainbow table attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: More than just a "legacy"

        He is probably on about the tools that were released a few years ago that could 'crack' bitlocker. What was needed for this, a copy of the drive and a full dump of the computers memory after the computer had booted into windows, to get the key stored in RAM. To get the memory dump you would either need to get the RAM out very quickly after cooling it and have special hardware read it. Be able to logon and bypass the windows security for memory access, or the computer has a firewire port.

        You could dump all the RAM from the firewire port, no restriction, no accounts. As its a 'feature' of the firewire protocol, direct memory access, no authentication. Not a bug in microsofts implememtation, its an insecure protocol. This is the same for any system with firewire. Dump the RAM, get the key. The key is in RAM on all systems, unless they have a hardware encryption module.

        1. Adam 1
          Coffee/keyboard

          Re: More than just a "legacy"

          So we are now blaming Microsoft for lax security based upon a flawed protocol developed by Apple?

          Truecrypt is every bit as vulnerable as Bitlocker on that attack vector as is any other piece of software. If you can see the RAM where the key is held, you can see (or derive) the key, if you can see the key, you can decrypt the drive.

          1. Anonymous Coward
            Anonymous Coward

            > What would one gain by whole disk thing?

            Many services tend to log passwords to log files. Not sure if PostgresSQL and Mysql still do, but not very long ago they did. You also get people typing the password in place of the login. All those cases usually get recorded in log files outside of the users' home directory.

            > So we are now blaming Microsoft for lax security based upon a flawed protocol developed by Apple?

            Yes, I was mentioning the issue where the Bitlocker password was left in an easy to read location in RAM. Firewire is just one way to reach it, you can also boot from a different disk or even read the data using a special PCI (or mini-PCI) card.

            Also it's silly to blame Firewire for allowing remote DMA access. It's the implementation in some machines that makes it a security problem, a correct implementation can either leave the DMA disabled until properly authorised, or can filter remote DMA requests only for devices that need it and/or are approved. This is done in most modern systems.

    2. Karirunc

      what microsoft fans??

      I think that non apple fanbois are often people who use tech as tool, and not as accessory or some sort of fashion statement. And maybe they cannot afford apple since their job can be done better with cheaper non apple product. Also they don't see the need to endlessly drool over how superior their kit is compare with any other brand. That sh1t is soo boring and dull to listen to. The key capability of non apple folks over apple fanbois is that they can shut the *uck up.

      1. Anonymous Coward
        Joke

        Re: what microsoft fans??

        "The key capability of non apple folks over apple fanbois is that they can shut the *uck up."

        <== You forgot to add the icon

    3. Ilgaz

      I like the old way

      On an operating system which force developers and users to properly store data in a good place ($home), file vault made perfect sense.

      What would one gain by whole disk thing? I mean unless you are a mad scientist and have custom "destroy the planet.app" in your /applications on root folder.

      Win is a different thing and really needs whole disk encryption. Why? Ms refuses to discipline developers.

  2. AlexS
    Stop

    well

    Very trivial bug indeed.

    And besides who really wants to break into an Apple?

    All that will be there is somebodies music collection, somebodies holiday snaps, a few letters, and a few doodles. Maybe even next. Months Parish newsletter. If they're really lucky they might get the new Kylie single or the latest leaflet for the Green party.

    1. Bob Vistakin
      FAIL

      Re: well

      The subscription details to Gay Times might come in handy though.

    2. Dan 55 Silver badge
      Facepalm

      @AlexS

      Um, Mac OS X is supposed to be a certified flavour of Unix.

      Certified flavours of Unix shouldn't go logging passwords in clear-text to log files in /var.

      1. Ilgaz

        Re: @AlexS

        They gave up getting certified when they became ito.. Iphone company. That is, as far as I followed.

      2. Anonymous Coward
        Anonymous Coward

        Not the first..

        > Certified flavours of Unix shouldn't go logging passwords in clear-text to log files in /var.

        Yet I recall having to clear up many instances of cleartext passwords from logs, back in my HP-UX days.. Guess what, bugs happen especially when scenarios get more complex.

        More recently I was finding Ubuntu Linux (Breezy) saving the cleartext password of the admin user under /var/log after installation.

        As I said before, if you care about security the best is to encrypt the whole disk.

        1. eulampios

          Re: Not the first..

          >>More recently I was finding Ubuntu Linux (Breezy) saving the cleartext password of the admin user under /var/log after installation.

          By recently you mean 6-7 years ago? Bug #34606 Fixed right away.

          To dissuade all temptations no user password should be kept in clear text anywhere on the system, (multiple) hashes are there to use if need be.

    3. dancecat
      Mushroom

      Re: well

      This is not a "trivial bug indeed".

      If you have Macs connected to your Active Directory domain then it's an appauling bug that exposes enterprise account passwords. Granted, the log file it's stored doesn't have world read permissions by default, but it still means that anyone who has local admin rights can harvest passwords from the organisation.

      This incident should be getting more coverage and it serves as a reminder that Apple are a trinket company whose products should never be let near the enterprise.

      1. Anonymous Coward
        Coffee/keyboard

        @dancecat

        This bug only records passwords of users who logged in locally on the machine.

        You're correct in saying you need local admin rights on the machine to read the log file.

        But the clincher is if you have admin rights there are already more of ways of harvesting passwords entered locally (think trojans, key loggers...)

        1. dancecat
          Flame

          Re: @dancecat

          You're wrong - I've actually connected a Mac to an Active Directory domain using the AD plugin (dsconfigad from the command line) and it exposes AD passwords.

      2. Blitterbug
        Unhappy

        Re: Macs connected to your Active Directory domain

        Yech. Just... Yeck.

  3. Neal 5

    As a well known non Apple fanboi

    it's nothing for me to get worked up 'bout either. I neither have nor desire/crave any Apple products, so for me just another reason not to waste any money on an unwanted unusable , it just doesn't work gadget.. Someone please give me a job in their marketing department, they obviously need a rocket under them or an injection of leather, I'm not a keen fan on bullshit, if you're not sure where that comes from.

    I'll take all the down votes you can give me and some more when I post next,

    Cheers.

  4. jake Silver badge

    This is a symptom of ...

    ... marketing-bods running supposedly "techy" companies.

    Back in the day (1989), I was brought in as a conslutant for AOL to help setup their Stratus computer center in Georgia. The marketers in charge couldn't understand why passwords shouldn't be stored in the clear. Ever.

    Their idiot reasoning? "We have to be able to tell the users what their forgotten passwords are".

    It's all gone downhill since then ... Thankfully, I'm (mostly) out of that line of work.

    1. Zippy the Pinhead

      Re: This is a symptom of ...

      I worked for them for a while as well Jake.. their password policy was crazy.. nothing over 8 characters, a mix of letters and number only, no special characters, case sensitive turned off.. For some reason they thought this was MORE secure.

  5. volsano

    Back in the day ....

    ..... Steve Jobs would have turned this into a marketing triumph.

    After trumpeting this must-have feature across all known media, he'd've sat back and watched lesser companies announce unconvincing plans to make it easier for passwords to be retrieved by non-specialists.

    The fan bois would rejoice at the removal of yet another barrier to internet participation by the common hipster.

    And, soon, private passwords would be a thing of the past. The new iPassword would potentially allow us all to financially benefit by selling our iPasses on iTunes and sharing in the profits made from our identify theft by the purchasers.

    Other companies would learn from Apple's strategy and fire their IT QA departments and hire marketeers instead. All bugs would now be declared as unmissable features, and the more gullible of us would pay more for the bonus ones.

  6. A J Stiles
    Facepalm

    Hmm

    Sounds rather like someone passed the wrong options to configure, or shipped a test version of the binary.

    Logging even just incorrect passwords is a security risk in production, because the chances are it's just one incorrect character causing the problem -- reducing the search space considerably. You might need such a feature for testing, for sure, but not out in the wild.

    1. stanimir

      Re: Hmm

      the idea to log password is plain dumb. in the worst case I can imagine #ifdef DEBUG or so but still.

      With such an obvious rookie mistake I bet the password is well and alive in the memory, so a heap/memory dump will reveal it.

  7. Anonymous Coward
    Anonymous Coward

    I prefer Truecrypt..

    Filevault 2 is only OK until it develops a problem, and then you have a fight on your hands.

    I may try again once I'm sure my backups are working 100%, the last time I tried to recover from a FV 2 failure it was a pain even getting the disk repartitioned (despite having the master password).

    Sure, Truecrypt is more work as you need to manually mount the archive (and you're not secure by default), but it also allows me to move containers between machines and operating systems. AFAIK, a OSX Lion encrypted USB stick is inaccessible under Windows or Linux, which renders it useless to me - especially Linux I use a lot in parallel (no, not in Parallels - I like Virtualbox :) ).

    I guess it's a matter of preference...

  8. Mark Allen
    FAIL

    Debug versions?

    So... how did a debug version of a component with logging still enabled make its way into an Official Release? Don't they test these things before sending them out to the masses? How did something so simple and obvious get through?

  9. Anonymous Coward
    Anonymous Coward

    May no shadow fall on the shining light of Apple

    Oh, the warm, understanding and downplaying words of fanbois of this latest security cockup.

    May no shadow fall on the shining light of Apple!

  10. Ilgaz

    Wondering something

    I don't have 10.5+ so wondering if they fixed the "system.log getting wrong permissions each time weekly script is run" bug which is a security issue itself.

  11. Mr Young
    Coffee/keyboard

    family security?

    Does that stop me from ever knowing what my family is doing with me internets? I sure hope so

  12. ArkhamNative
    Unhappy

    Old-timer Mac Fan despairs

    This perhaps is a rookie mistake and perhaps affects only a few, but Lion itself is full of odd design and rookie mistakes. From the dropping of scroll arrows and scrollbars from the UI, to features that don't work on the OS's still-supported still-built-in software raid system, to the VM system that swaps out active RAM pages to give the content indexing system a 7th gigabyte for disk buffers...

    Some may be small issues but the floor is littered with them. It seems as if the good programmers have left, were dragged off to other projects and not replaced, or are just "sittin' fat & happy" on stock options and collecting paychecks.

    I can only hope that this will spur improvements to regaining a strong core OS. (...though I'm reminded that hope was one of the things contained within Pandora's box).

    1. Jean-Luc
      Thumb Up

      Re: Old-timer Mac Fan despairs

      Amen to that. The core OS, derived from BSD family, is probably pretty strong wrt to security. Much stronger than Windows, IMHO.

      However... M$ has had a decade of justified user outrage about their crap security and has, to an extent, learned to take security seriously enough to mitigate the really sucky Windows underpinnings.

      Fanbois who instinctively defend Apple miss the point that Apple's record is pretty lax when it comes to security, aside from what comes baked-in from BSD and Sudo. We had the LDAP goof a while back, the Flashback Trojans (2 acquaintances caught out), the MacDefender ("no don't support our infected users that would make it seem like we are not secure").

      Now this.

      Apple will need to get its s**t together or non-fanbois will balk at paying extra $ for still-insecure computers. They need to recognize that pricey computers => juicy targets for malware writers, esp. when the prevailing attitude seems to be "antivirus? what antivirus, I am on a Mac". They need to stand by their users' security, period. Over convenience, when needed.

      One of my primary reasons for being on a Mac is not trusting Windows to store any sensitive info. F*** this up enough and I'll move out again.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Old-timer Mac Fan despairs

      >>This perhaps is a rookie mistake and perhaps affects only a few, but Lion itself is full of odd design and rookie mistakes. From the dropping of scroll arrows and scrollbars from the UI<<

      Yeah, Lion does seem pretty misguided. There was definitely no reason to get rid of scroll bars. Similar mistakes include hiding disks on the desktop by default (may have been SL?), that worthless new application launcher, all of the full screen app nonsense, flipping the default scroll direction, and the seemingly new and infuriating ability for apps to steal focus from each other instead of just bouncing in the dock.

      Makes me think the people who really understand *WHY* OS X is designed the way it is have left. Very depressing thought.

  13. eulampios

    PAM

    I though that Mac OS X uses FreeBSD PAM mechanism. If so why would they temper with it?

  14. Matt Bryant Silver badge
    Joke

    Come on!

    Everyone knows the real problem is the users not holding the device properly..... :)

  15. Anonymous Coward
    Anonymous Coward

    Uff

    It pains me to see so much open animosity towards Apple customers, as if we are all hipster fanboys who bought Macs to hold as fashion accessories as we rush from one gay wedding to the next.

    Almost without fail, the people I know who I respect the most for doing the most "hardcore" computing use Macs, including a bunch of Google engineers responsible for core infrastructure to biologists developing simulations of protein folding to developers of web sites/services that are now worth millions of dollars. I suppose it makes sense that these people aren't standing up for their computer choice in these online forums since they are probably busy doing useful, important work and don't need to hear about how they could have saved $300 by buying a different laptop two years ago from a nerd in a random IT department.

    1. Stevie

      Re: Uff

      "developers of web sites/services that are now worth millions of dollars."

      Yes. my brother-in-law used the excuse that the Mac was a superior web development platform to buy a G4. I looked long and hard at him and then gently said "but won't you need a PC as well since the websites you are building are graphically intense and intended to be viewed by the general public who mostly own PCs?"

      Games built on Macs look great, but must be ported onto PCs to recoup costs. I venture to suggest the cost benefits of that development path themselves strongly suggest turning it upside down.

      Use whatever you prefer to use, a computer is just a tool after all, but for God's sake stop living in the kitten-infested world where Apple do no wrong. iTunes *is* a piece of unmitigated junk with the most unhelpful user interface for music playback I've ever seen. There. The sky didn't split. The iPod should come with a dedicated volume control. Not having one is a design convergence error. Wow no lightning bolt. Storing the passwords in plain text is a stupid and dangerous mistake. If you read that last bit on a PC-related topic you'd agree.

      The only major difference between PCs and Macs is that when things go wrong with Macs the user community tightens ranks and denies, and the PC user can read about an issue the next day on a milk carton. I was unpleasantly surprised at the sheer number of "known problems" with that bloody G4 once it began breaking down and yours truly had to go a-hunting in the forums (and even then could only turn up issues if I knew what they were before I went looking). What a piece of junk, and what a bunch of disingenuous users.

      Plus, I never heard of anyone having to sign an NDA before a warranty replacement with a PC.

  16. heyrick Silver badge

    Oh look, yet another schoolboy-level error

    (as subject)

  17. Anonymous Coward
    Anonymous Coward

    Really, the bug affects any network share

    At least if you're connecting to it on login. So in a Mac environment with (for example) xserve and Open Directory, you see the same behavior. Same with eDirectory and AFP with Novell's Open Enterprise server. It's not just disk encryption products, it's people relying on remote file systems.

    There may be a behavior difference in accounts that are set up as "Mobile" on the Mac versus "Network" - if the account is set "Mobile" the password might not be logged, or might not be logged under as many conditions (a locally-cached password on a Mobile account could easily change that behavior).

    1. dancecat
      Alert

      Re: Really, the bug affects any network share

      Finally, someone who understands the scale of this problem.

      Sysadmins: Forget the comments about FileVault, HP, fanboi etc etc. - this is the worst, most careless bug Apple have ever released. If you care about domain password security then you need to make sure this version of the OS can't authenticate against your domain.

This topic is closed for new posts.

Other stories you might like