Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3
ZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.
In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
The issue was noted last Friday by David Emery on the Cryptome mailing list.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.
The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.
Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.
Popular Stories
You'd think things would be slowing down heading into the holidays, but this week saw a whirlwind of Apple leaks and rumors while Apple started its next cycle of betas following last week's release of iOS 26.2 and related updates.
This week also saw the release of a new Apple Music integration with ChatGPT, so read on below for all the details on this week's biggest stories!
Top Stories
i...
Next year's iPhone 18 Pro and iPhone 18 Pro Max will be equipped with under-screen Face ID, and the front camera will be moved to the top-left corner of the screen, according to a new report from The Information's Wayne Ma and Qianer Liu.
As a result of these changes, the report said the iPhone 18 Pro models will not have a pill-shaped Dynamic Island cutout at the top of the screen....
Since the beginning of December, Apple has been pushing iPhone users who opted to stay on iOS 18 to install iOS 26 instead. Apple started by making the iOS 18 upgrades less visible, and has now transitioned to making new iOS 18 updates unavailable on any device capable of running iOS 26.
If you have an iPhone 11 or later, Apple is no longer offering new versions of iOS 18, even though there...
Since the AirPods Pro 3 launched, there have been complaints from users who have noticed a static-like sound or a crackling issue when using the earbuds, particularly when Active Noise Cancellation is on but no media is playing. Users have also run into strange high-pitched whistling sounds that happen intermittently.
We shared the issues back in late October, and despite two subsequent...
There's now a dedicated Apple Music app for ChatGPT, which allows ChatGPT to make music recommendations and build playlists.
Apple Music can be added to ChatGPT through the Settings section in the Mac app, website, or iOS app. Apple Music is listed under the apps option, and connecting to it requires signing in with your Apple Account for authorization purposes.
ChatGPT can be used to...
Samsung has officially unveiled the Exynos 2600, the world's first 2 nanometer mobile system-on-a-chip (SoC), built on the company's Gate-All-Around (GAA) process. The 10-core ARM-based design aims to deliver improved performance and efficiency for flagship devices like the upcoming Galaxy S26 series.
The chip uses Arm's latest cores and supports new instructions for improved CPU speed and...
There has been a whirlwind of rumors over the last few days, sourced from leaked internal software designed for the iPhone and the Mac, and news sites like The Information. Below, we have a quick recap of everything we've heard this week, which serves as a guide to Apple's product plans in 2026 and beyond.
We've organized the info by likely release date, though there are some products that...
Apple Maps no longer offers a Flyover feature that provides users with automated tours of notable landmarks in major cities. The Flyover option appears to have been nixed around when iOS 26 launched, but its removal went largely unnoticed.
Flyover city tours were introduced in 2014 with iOS 8 and OS X Yosemite, using Flyover imagery to generate an aerial tour. Most cities with Flyover...
