One of Apple’s programmers, apparently by accident, has turned on a debug switch in the latest security update for Mac OS X Lion (10.7.3). CryptoMe’s David Emery, who discovered the fault, explained the mishap: “carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open.”
The security loophole relies on a system wide debug file allowing passwords to appear as plain text. This means that anyone with proper credentials to access group admin files, can virtually access passwords under certain conditions.
The most vulnerable users are the Mac owners who used FileVault encryption before Lion, upgraded to the latest OS X. The solution to avoid prying eyes to snoop into the personal folders or accounts could be FileVault 2.
“One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk,” says reputed security researcher David Emery.