7 Replies Latest reply: May 11, 2012 3:51 AM by maiux
jlbmacuser Level 1 Level 1 (5 points)

The following describes a serious Lion security flaw & asks how to make Apple aware of it...

 

When Lion mounts a legacy FileVault sparse bundle at user login, the system logs the following to /var/log/secure.log (hostname and actual password changed for security reasons):

 

Apr 11 19:39:35 hostname authorizationhost[1240]: DEBUGLOG | -[HomeDirMounter mountEncryptedHomeWithURL:attributes:dirPath:username:] | about to call DIHLFVMount. urlAttribute = /Users/.username/username.sparsebundle, password = password-here-in-plain-text, mountPointParent = /Users, homeDirPath going to the DIHLFVMount call = /Users/username

 

Lion should not be writing the username and password to disk!  This is a serious security problem that renders an encrypted legacy FileVault useless because it makes the password available to anyone that can read the secure.log file.

 

How does one write a problem ticket to Apple to make them aware of this?


Lion OS, Mac OS X (10.7.3)