Security bug on Mac OSX 10.7.3 FileVault – Just solved
What is FileVault
From the Wikipedia
"FileVault is a system which encrypts files on a Macintosh computer. It can be found in the Mac OS X v10.3 "Panther" operating system and later.
FileVault uses encrypted file systems which are encrypted and decrypted on the fly. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password. Although early versions were slow and caused a system to temporarily hang when used with disk-intensive applications, such as sound and video editing, the performance of FileVault has been improved in more recent versions of Mac OS X.
In Mac OS X v10.4 "Tiger" and below, FileVault stores the encrypted file system as a Sparse Disk Image, which is basically a single large file. In Mac OS X v10.5 "Leopard", FileVault stores the encrypted file system as a new image called a Sparse bundle. Sparse bundles break images into smaller 8MB files called bands, allowing them to be backed up using Leopard's Time Machine feature (see below for limitations, however). If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format. FileVault 2, introduced in Mac OS X v10.7 "Lion", encrypts entire disks rather than users' home folders. This also solves the compatibility problems related to backup, as the encryption is transparent to backup software when the operating system is running."
With update release 10.7.3 of Mac OS X there was a security bug, in some cases the operating system keep the passwords in plain into the log files. If the operating system has been installed from scratch this bug is not present, if you have installed the update you are exposed to this bug.
It seems that, in the 10.7.3, a DEBUGLOG flag hasn't been commented, so the OS will store the passwords into the log file. This log can be maintained for several weeks….
Really if you have admin privilegies can retrieve the password of a FileVault directory encrypted with the old release of FileVault. So, a hacker could use the TimeMachine backups to get the password.