It has come to light over the weekend that an issue within Apple’s latest OS X Lion may leave login passwords to appear in a plain text format within a debug log file, for some users in certain circumstances.
The issue has been uncovered by a security researcher David Emery after it was discovered that an Apple programmer accidentally left a debug flag within the most recent version of OS X Lion.
In certain circumstances users who used Apple’s encryption software FileVault before upgrading to the latest 10.7.3 software, might be at risk. Leaving anyone with an admin password to retrieve other user’s credentials from the debug log file. FileVault 2 users are unaffected, Emery explains:
“This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for,”
Apple has yet to release a statement or fix for the issue, but as more details come to light we will keep you updated.