The disk encryption software in OS X called FileVault recently got updated. However, the update writes a log file which contains lots of uninteresting things, but also the users password in plain text. The logfile itself is not encrypted so if someone were to double click it, they would see your password.
This has apparently been known for three months. All users who has logged in since Lion was updated to 10.7.3 has their passwords stored in this unencrypted file.
FileVault 2 is apparently unaffected, but this is a pretty serious mistake from Apple.
Source: ZDnet
iPidgin
ReplyDelete