A security error in OS X 10.7.3 exposes passwords on systems with support for the pre-Lion FileVault home-directory encryption feature. This security flaw, apparently created when Apple left debugging code in the 10.7.3 update, is only triggered with Lion systems in which legacy support for the original FileVault is retained and when logging in with such an account.
Mac systems using whole-disk encryption with FileVault 2 (introduced in Lion) are not affected. It is also unlikely that revealed passwords can be obtained by malicious parties, unless new malware appears specifically designed to hunt for the exposed logins.
First reported in February by a user registered as "tarwinator" in Apple's forums, but ignored, the security error became widely reported this weekend when David Emery sent a post to the Cryptome security mailing list describing the problem.
Emery noted in his post that one way of examining the log file in which the password can be found requires an account with administrative access on a booted Mac OS X system and physical access to the system; no administrative password is required to read the log. However, because the file is outside of encrypted home directories, restarting a system in FireWire Disk Target mode allows anyone with their hands on the computer to read the file on another Mac. A Lion system can also be rebooted into the Lion Recovery mode (holding down Command-R after restart), and Terminal launched (Utilities -> Terminal), and then the log file may be viewed without any password. (The file in question is in the Unix /var/log directory, and called secure.log.)
This was clearly an error in code review, as the message in the file says "DEBUGLOG" in all caps. Developers often put in messages that are sent to a log file for such purposes, but should be flagging those in code for review before release, and the quality assurance (QA) process companies follow in sending out updates to any software should catch debugging messages that are unintentionally left on. It's also baffling that any debugging would reveal a password because of the risk of the logging code being left included by accident, as occurred here.
Apple did not respond to inquries regarding this issue.
Who's at risk
There's no simple solution for this problem that doesn't involve a bit of fuss, even after Apple releases a patch to prevent the password from being logged as clear text. But many (perhaps most) Lion users won't be affected. If you never enabled FileVault on a computer prior to upgrading to Lion or purchased a computer with Lion installed, you are not at risk. You're also not at risk if you didn't update Lion to 10.7.3, or if you never logged in as a user with a FileVault account with 10.7.3 installed.