Apple macOS High Sierra Bug Exposes Passwords of Encrypted APFS Volumes As Hint

A difficult programming error has been found in Apple’s latest macOS High Sierra 10.13 that shows passwords of encrypted Apple File System (APFS) volumes in plain text.
Published by Matheus Mariano, a Brazilian software developer, the vulnerability attacks encrypted volumes using APFS wherein the password hint share is showing the actual password in the plain text. Yah, you got that right—your Mac mistakenly reveals the actual key instead of the signal hint.

In September, Apple issued macOS High Sierra 10.13 with APFS (Apple File System) as the error file method for solid-state drives (SSDs) and other all-flash area devices, promising strong encryption and better performance.

Mariano found the safety issue while he was using the Disk Utility in macOS High Sierra to add a new encrypted APFS volume to a container. When replying a new volume, he was asked to set a password and, optionally, write a hint for it.whenever the new volume is scaled, macOS asks the user to enter the password. Mariano noticed that when he clicked the “Show Hint” button, he was served with his actual password in the plain text rather than the password hint.
You can see the demonstration of the problem in the below-given video:

This security issue is not the only one discovered in Apple’s latest desktop operating system.
Just a few hours before the release of High Sierra, ex-NSA hacker Patrick Wardle publicly disclosed the details of a separate critical vulnerability that allows installed apps to steal passwords and secret data from the macOS keychain.

The good news is that Apple released a supplemental macOS High Sierra 10.13 update on Thursday to addressed both the issues. Mac users can install update from the Mac App Store or download it from the Apple’s Software site.
It should be noted that just installing the update would not solve the APFS password disclosure issue. Apple has published a user guide on the password disclosure bug, which you should follow to protect your data.

Leave a Reply

Your email address will not be published. Required fields are marked *