The flaw was detailed late last week in a post by David I. Emery on the Crytome mailing list (via Suddeutsche.de). The issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.
"Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012," Emery explained.
The log-in data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.
Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.
Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.
"Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model ? not uncommon in families ? where different users of a particular machine are isolated from each other and cannot access each others' files or login as each other with some degree of assurance of security," Emery wrote.
The bug was introduced with Apple's OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.