Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes

Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.

The bug is in Disk Utility GUI volume creation

[alispguru]

When creating a new volume, it apparently puts the password into the password hints field.

If you create a new volume using command-line tools, things are fine.

The encryption is still OK; this bug just leaves the key to the front door under the mat.

Which is still appalling.

Re:The bug is in Disk Utility GUI volume creation

[sbrown7792]

Right, the system shouldn't know, that's why this is a bug.

When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.

Re: The bug is in Disk Utility GUI volume creation

[Brockmire]

Typical at Apple, where shit like "GotoFail" is a regular occurrence. Shitty developers with nonreviewed code in important security places, no QA and test procedures... bugs can show up in corner cases, but not in THE FUCKING USE CASE. Who the fuck is running things over there?