New macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text

Thursday, October 5, 2017

New macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text

Brazilian software developer Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the passwords of encrypted Apple File System volumes in plain text in Disk Utility.

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint
Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below
MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.

Tried myself & it's true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. http://pic.twitter.com/FkcHI9KHl9
— Felix Schwarz (@felix_schwarz) October 5, 2017

The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users that haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

(Thanks, Marcus!)

Related Roundup: macOS High Sierra

Tag: APFS

Discuss this article in our forums