Lion Login Passwords in Clear Text
Emil Protalinski (via Slashdot):
An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
User tarwinator posted about this in Apple’s support forum three months ago but didn’t get a response.
Update (2012-05-09): It’s fixed in Mac OS X 10.7.4.
Update (2012-05-10): Apple has posted a support article about the problem.