Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes

Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.

Re:The bug is in Disk Utility GUI volume creation

[sbrown7792]

Right, the system shouldn't know, that's why this is a bug.

When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.