New macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]
Brazilian software developer Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the passwords of encrypted Apple File System volumes in plain text in Disk Utility.
MacRumors confirmed our test password “dontdisplaythis” appeared as the hint
Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the “Show Hint” button, which revealed the full password in plain text rather than the hint.
A second video with English system language is embedded below
MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
Tried myself & it’s true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9
— Felix Schwarz (@felix_schwarz) October 5, 2017
The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven’t specified a password hint, or haven’t used Disk Utility whatsoever, are probably not affected.
For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.
Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we’ll update this article if we hear back.
Update: Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store. Apple has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating.
Related Roundup: macOS High SierraTag: APFS
Discuss this article in our forums