MAC ROUMORS

Brazilian software developer Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the password of encrypted Apple File System volumes in plain text in Disk Utility.

MacRumors confirmed our test password “dontdisplaythis” appeared as the hint

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the “Show Hint” button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.

Tried myself & it's true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9

— Felix Schwarz (@felix_schwarz) October 5, 2017

The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users that haven’t specified a password hint, or haven’t used Disk Utility whatsoever, are probably not affected.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we’ll update this article if we hear back.

Discuss this article in our forums

Source: MAC ROUMORS