Lion Legacy Filevault WHOOPS
The following describes a serious Lion security flaw & asks how to make Apple aware of it...
When Lion mounts a legacy FileVault sparse bundle at user login, the system logs the following to /var/log/secure.log (hostname and actual password changed for security reasons):
Apr 11 19:39:35 hostname authorizationhost[1240]: DEBUGLOG | -[HomeDirMounter mountEncryptedHomeWithURL:attributes:dirPath:username:] | about to call DIHLFVMount. urlAttribute = /Users/.username/username.sparsebundle, password = password-here-in-plain-text, mountPointParent = /Users, homeDirPath going to the DIHLFVMount call = /Users/username
Lion should not be writing the username and password to disk! This is a serious security problem that renders an encrypted legacy FileVault useless because it makes the password available to anyone that can read the secure.log file.
How does one write a problem ticket to Apple to make them aware of this?
Lion OS-OTHER, Mac OS X (10.7.3)