Lion update accidentally reveals stored user passwords.
A recent Mac OS update has revealed a rather embarrassing oversight of an Apple programmer. A debug flag was left on which turns on a debug log file that contains the login password of every user who has logged in to that machine since the update was applied. What’s worse is that the passwords are blatantly stored in plain text.
This means that anyone with administrator or root access can access the log file and user credentials, and use the details to access encrypted user files and folders. The surprising thing is that the flaw isn’t new – it was spotted and reported almost three months ago, but Apple have yet to issue a reply or possible fix.
The security flaw could be dangerous to businesses with confidential information and who have relied on Mac OS’s encryption for years. The flaw affects Time Machine backups as well, so in the unfortunate event that your Mac is stolen or misplaced, information can be accessed because the Time Machine backup logs will contain the required password.