Pixel Envy

Written by Nick Heer.

MacOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Containers

Matheus Mariano:

This week, Apple released the new macOS High Sierra with the new file system called APFS (Apple File System). It wasn’t long before I encountered issues with this update. Not a simple issue, but a potential vulnerability.

The vulnerability? Under certain not-so-uncommon conditions, a drive or container formatted as APFS can show the actual password as the hint.

Via Michael Tsai:

The bug was easy to reproduce on my Mac. Plugging the drive into another Mac also shows the password as the hint. So I’m guessing it’s not actually an APFS flaw but rather that Disk Utility is passing the wrong variable as the hint parameter.

That seems to be the case. Felix Schwarz:

Creating a volume via diskutil, the hint, not the pw is shown. Looks like the root cause is Disk Utility storing the password as hint.

So, from the looks of it, if you haven’t specified a password hint – or if you haven’t used Disk Utility, you’re probably safe.

Disk Utility was made extraordinarily buggy in a rewrite two years ago and we’re still feeling the effects of that decision. That’s a big problem for an app as consequential as Disk Utility.

Update: Apple told Rene Ritchie that they’re rolling out a fix for this today. That’s a fast response, but this is a bug that should have been caught far sooner. Why wasn’t it?