• This forum is for posting news stories or links from rumor sites. When you start a thread, please include a link to the site you're referencing.

    THIS IS NOT A FORUM TO ASK "WHAT IF?" TYPE QUESTIONS.

    THIS IS NOT A FORUM FOR ASKING QUESTIONS ABOUT HOW TO USE YOUR MAC OR SOFTWARE.

    This is a NEWS and RUMORS forum as the name implies. If your thread is neither of those things, then please find the appropriate forum to ask your question.

    If you don't have a link to a news story, do not post the thread here.

    If you don't follow these rules, then your post may be deleted.

Apple update exposes Lion login passwords in clear text

Joined
Mar 30, 2005
Messages
9,571
Reaction score
25
Points
48
Apple update exposes Lion login passwords in clear text

Apple-malware-sm.jpg
OS X 10.7.3 contains a debug flag which makes system passwords readable, checks show. Depending on the system configuration, people who update to v10.7.3 may have a widely-viewable debug log file containing passwords for all users accessing a system. The passwords are stored in plain text, making for a potentially serious security risk....
mf.gif



a2t.img

Read more
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Does anyone actually know what file these passwords are stored in? I've read this story a few times and each and every one neglects to mention the path and name of the file.
 
Joined
Dec 8, 2009
Messages
453
Reaction score
10
Points
18
Location
The same as Sheldon Cooper - East Texas
Your Mac's Specs
iMac 2014 i5 5k 32gb 1tb fusion, second TB display, 2014 MBA
The reports are somewhat ambiguous and quote each other in an endless loop - in fact, most reports are just cut and paste from somewhere else. But from what I can see, it only affects a certain subset of machines using filevault, and then only a filevault from an older install of Snow Leopard.

I have grepped every log file, including everything in the huge DiagnosticMessage folder, on my machine (after a fresh login) and I find no tracks of a password in the log files.

Then I grepped the entire log folder itself for my password and nothing was found.

Still looking, but it appears that just a vanilla install of Lion (or SL) doesn't have the problem.


Later edit.

Ok. The problem is only for filevault uses who have upgraded to Lion, although the common press is yelling that OSX is an open door for anybody to enter.

By the way, for Unix/Linux guys and gals, OSX keeps two active log folders...

/var/log the usual place
username/Library/Logs the unusual place
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
I found it - it's a log in /var/logs. More specifically, it's /var/logs/secure.log (source, source). That wasn't the easiest to find though.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top