Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes

Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.

The bug is in Disk Utility GUI volume creation

[alispguru]

When creating a new volume, it apparently puts the password into the password hints field.

If you create a new volume using command-line tools, things are fine.

The encryption is still OK; this bug just leaves the key to the front door under the mat.

Which is still appalling.

Re:The bug is in Disk Utility GUI volume creation

How is it able to show the plain text password to begin with? Sounds like the password isn't hashed or encrypted itself to begin with and stored as plaintext somewhere. The system shouldn't know what the password is.

Re:The bug is in Disk Utility GUI volume creation

[sbrown7792]

Right, the system shouldn't know, that's why this is a bug.

When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.

Re:The bug is in Disk Utility GUI volume creation

[Anubis+IV]

The system still doesn't know what the password is. So far as it knows, the thing it's showing you really is the password hint.

As the GP suggested, the bug isn't technically that the password is being stored in plaintext, though that is a consequence of the bug. Rather, the bug is that the hint's value is being set to the password's value when a user sets up a new encrypted volume in the version of Disk Utility that shipped with High Sierra.

Thankfully, this only affected users on the latest version of the OS who set up new encrypted volumes using Disk Utility in the time since they upgraded. Existing encrypted volumes are fine, as are encrypted volumes created via any other method. Even so, it's a pretty glaring bug, so I'm glad to hear that it was fixed quickly after hitting the news circuits earlier today.

Re: The bug is in Disk Utility GUI volume creation

[Brockmire]

Typical at Apple, where shit like "GotoFail" is a regular occurrence. Shitty developers with nonreviewed code in important security places, no QA and test procedures... bugs can show up in corner cases, but not in THE FUCKING USE CASE. Who the fuck is running things over there?

Re:More LUDDITE lies!

[GameboyRMH]

Apps are for cows, you bunch of non-HOSTS-file-modifying cows! You are all LUDDITE cows that don't use apps and leave your HOSTS files empty. Moo say the cows. YOU COWS. Apps can run on cows, but HOSTS files can block LUDDITE cows.

Apps!