macOS High Sierra Logs Encryption Passwords in Plaintext for APFS External Drives (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

macOS High Sierra Logs Encryption Passwords in Plaintext for APFS External Drives (bleepingcomputer.com)

Posted by msmash on Tuesday March 27, 2018 @09:00AM from the security-woes dept.

Catalin Cimpanu, writing for BleepingComputer: macOS High Sierra users are once again impacted by a major APFS bug after two other major vulnerabilities affected Apple's new filesystem format in the last five months. This time around, according to a report from Mac forensics expert Sarah Edwards, recent versions of macOS High Sierra are logging encryption passwords for APFS-formatted external drives in plaintext, and storing this information in non-volatile (on-disk) log files.

The issue, if exploited, could allow an attacker easy access to the encryption password of encrypted APFS external volumes, such as USB thumb drives, portable hard drives, and other external storage mediums. This bug goes against all well-established Apple development and security rules, according to which apps and utilities should use the Keychain app to store valuable information, and should definitely avoid storing passwords in cleartext. Video 1, and 2.

62 comments

Min score:

Reason:

Sort:

How to update? by twistedcubic · 2018-03-27 09:04 · Score: 2

Will a security update shred the logs? I wonder how they're going to fix this.
1. Re:How to update? by Anonymous Coward · 2018-03-27 14:08 · Score: 5, Informative
  
  It was already fixed in 10.13.2 released December 2017. The person that reported the problem was using the original High Sierra release 10.13.0. She had other people tell her it was fixed in 10.13.2 and 10.13.3.
  Shit for brains runs deep here at Slashdot.
2. Re: How to update? by Anonymous Coward · 2018-03-27 22:15 · Score: 1
  
  The built quality of macs is good, let's not get extreme. Over priced, it depends on the mac (and whether or not you're entitled to discounts), awful software, indeed. But they're actually good computers to install arch in them :o)
3. Re: How to update? by Anonymous Coward · 2018-03-28 02:10 · Score: 0
  
  You just keep using your super secure Windows 10.
Does this seem only to me or... by SurenEnfiajyan · 2018-03-27 09:09 · Score: 2

Apple is really having the most childish bugs in the last few years?
1. Re:Does this seem only to me or... by ITapeFatCashews · 2018-03-27 09:14 · Score: 1
  
  The entire company is having quality control issues. Even the marketing department.
  Apple fixes buggy iPhone X ad before fixing the actual iOS 11 bug
  https://www.theverge.com/2018/3/23/17155756/apple-ios-11-bug-iphone-x-ad
2. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 09:16 · Score: 1
  
  Courageous bugs!
  FTFY
3. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 09:24 · Score: 0
  
  Personally I think it is just the company going in the direction of it's chief steward.
  Jobs : fanatical attention to product details
  Cook : fanatical attention to [process|money|supply chain|business].
  Before Jobs' death you could tell when he was sick and not able to do as much, the bug count on new product/software releases seemed to be much higher and more pronounced. At least it sure seemed that way.
  I don't know why this seems to be the case, but the pattern seems to hold, even more so after his passing the releases seem to get a little further and further away from the standards Jobs set. Sure, bugs made it out on his watch, but they sure seem to have a higher visibility and impact this go around without his presence. It's kind of sad really.
  What's worse is the the overall stability and reliability of macOS has gone down hill. I have to reboot or recover from hung core processes or even the window server about once a week now. I used to go weeks, sometimes months, between reboots, not any more.
4. Re:Does this seem only to me or... by AHuxley · 2018-03-27 11:21 · Score: 1, Interesting
  
  The NSA and what followed PRISM cant be doing hours of crypto on every Mac they encounter in the wild.
  Features like this ensure the security services can work in real time on all big brand US products.
  Junk crypto in the hands of trusting users has been the NSA's pathway to winning for decades.
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:Does this seem only to me or... by AHuxley · 2018-03-27 11:22 · Score: 2
  
  They should have used BeOS.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 11:46 · Score: 0
  
  Your YouTube channel has quality issues, period.
  1) Your lip-smacking sounds, Picked up in crystal-clear digital audio.
  2) Your toothless lithp.
  3) Your ham-fisted editing.
  4) You're forever shifting in your seat.
  5) Subject matter even a deep Aspie would find tiresome. A 10 minute video of what to do to get a refund? Really?
  6) Close-up of a fat head that no one wants to see in that much detail. You're like a useless, nightmare version of THIS obscure sci-fi computer.
7. Re:Does this seem only to me or... by Bing+Tsher+E · 2018-03-27 12:11 · Score: 1
  
  Don't look now, but the real obsessive is the one making numbered lists on Slashdot.
8. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 12:48 · Score: 0
  
  So your doctor listing your symptoms is also sick?
  Who the hell can still defend Chris knowing what a utter tool he is?
9. Re: Does this seem only to me or... by Anonymous Coward · 2018-03-27 12:57 · Score: 1
  
  Huh?
  SMB never worked in 10.4 properly in 10.3-10.4 config files often got corrupt,iPod nanos screens often cracked, antennagate, the touchpad on the last gen of powerbooks,mighty mouse right click, power cables which always break,minor updates constantly breaking audio drivers back in the days.
  Seriously, QA has always been really bad. The only difference is that people ignored the issues back then. That's only a short list.
10. Re:Does this seem only to me or... by antdude · 2018-03-27 14:15 · Score: 1
  
  Apple is being like Microsoft and many other companies. Really bad or worse lack of QA. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
11. Re:Does this seem only to me or... by Bing+Tsher+E · 2018-03-27 14:20 · Score: 1
  
  I have actively avoided being diagnosed. It's an important freedom that more people should exercise.
12. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 14:53 · Score: 0
  
  "Came across your vid randomly, I don’t even like hoovers but love your honest humour. +1"
  https://www.youtube.com/watch?v=C442Zdo0C5M&lc=UgzAF38DPGbPqSGAWiB4AaABAg
13. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 15:30 · Score: 0
  
  And two dislikes, Chris. Your problem is that in very small doses you're almost unremarkable. To people that don't know what a digital bedbug you are.
  Those of us that have had to deal with your shit-mothiness know better.
  The question then becomes, why aren't you satisfied with making one ten minute video a week?
  Why the 25 sockpockets, obsessive posting, and unpleasant persona?
  After one year of continuous drama, you ended up with one positive comment on YouTube? Imagine if you had focused all of the last 12 months of sockpockets, denials, delusions, and lies into those videos instead?
14. Re: Does this seem only to me or... by Anonymous Coward · 2018-03-27 15:31 · Score: 0
  
  Can you say mole?
15. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 16:17 · Score: 0
  
  C.D. Reimer
  12 hours ago (edited)
  If you think I look stupid now, wait until you see my next video as I retrace what happened.
  Hey creimer! So, you promise to look even more stupid in your next video? OK, I'll watch it then.
  Also, I see "12 hours ago (edited)" above. You must enjoy the edit functionality allowing you to re-arrange your reality at will, you delusional fucktard!
16. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 19:35 · Score: 0
  
  And two dislikes, Chris.
  Ivan, YouTube considers any form of user engagement as a positive. The more engagement you do on creimer's channel, the more likely that the algorithm will recommend his videos to random strangers.
  
  The question then becomes, why aren't you satisfied with making one ten minute video a week?
  The first 100 videos will always suck. The fastest way to suceed is to fail often and fail fast. Each video represents an attempt to get better and attract an audience. Creative people are never satisfied.
17. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 22:27 · Score: 0
  
  No, the doctor uses bullet points.
18. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 22:45 · Score: 0
  
  The amount of energy you pour into your delusions is stunning, Chris.
  BTW, when is your haiku "Unemployable" coming out? I thought you were creative?
19. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-27 23:01 · Score: 0
  
  "Ivan, YouTube considers any form of user engagement as a positive. The more engagement you do on creimer's channel, the more likely that the algorithm will recommend his videos to random strangers."
  Then why are you so upset about "creimertards"? As usual, your self-contradictory justifications are borderline schizophrenic. That oversized head of yours contains not only enough fat to insulate a baby walrus, but enough mental illness for 15 psychiatrists to ponder over for a lifetime.
20. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-28 00:10 · Score: 0
  
  With creimer gone from Slashdot, the creimertards have no reason to exist. Get a fucking laugh.
21. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-28 00:28 · Score: 0
  
  "Get a fucking laugh."
  I think I figured out your problem, Chris. You talk your sentences to yourself in that massive head of yours, then you type what you hear!
  Problem is, your brain can't do both at the same time.
  "With creimer gone from Slashdot, the creimertards have no reason to exist."
  By your logic, the fact that the "creimertards" are still here means you're still here, Chris!
  And yes, I had a fucking laugh!
22. Re:Does this seem only to me or... by Gr8Apes · 2018-03-28 02:16 · Score: 1
  
  What's worse is the the overall stability and reliability of macOS has gone down hill. I have to reboot or recover from hung core processes or even the window server about once a week now. I used to go weeks, sometimes months, between reboots, not any more.
  I agree quality has gone downhill since Jobs' death, but it went downhill somewhat prior to that as well. iOS 9 and 10.7 were both under Jobs and were the start of GCD. While GCD solves a specific problem, converting the entire OS to it has proven to be a great source for all sorts of bugs. Even so I'm running multiple 10.10-10.12 systems and they're nice and stable for months. Not sure what you're doing, but even running multiple VMs hasn't affected the stability at all.
  
  --
  The cesspool just got a check and balance.
23. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-28 02:38 · Score: 0
  
  The entire Slashdot community is fucking laughing at you.
24. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-28 02:45 · Score: 0
  
  Chris, one day Slashdot is a locker room that smells of socks, the next it's a "community" whose approval you desperately want.
  Do you have any evidence that anyone at all on Slashdot feels sorry for you, or looks forward to your next digital turd?
  And that you have enough people to call it a "community"? And that anyone is laughing at "me"? (Every AC is creimertard, Chris?)
  ...and if you hate Slashdot so much, why are you still here?
25. Re:Does this seem only to me or... by Anonymous Coward · 2018-03-28 04:34 · Score: 0
  
  Junk crypto in the hands of trusting users
  It wasn't a junk crypto. It was the OS logging the keys for an industrial strength crypto.
quick somebody call 911 by Anonymous Coward · 2018-03-27 09:11 · Score: 0
High Sierra - It just doesn't work by sandbagger · 2018-03-27 09:14 · Score: 3, Insightful

And where is my new Mac Pro tower?

--
---- The above post was generated by the Turing Institute. Maybe.
1. Re:High Sierra - It just doesn't work by Bing+Tsher+E · 2018-03-27 12:13 · Score: 2
  
  My Quadra 650 is the desktop version, but you can stand it on end and pretend it's the minitower version.
2. Re:High Sierra - It just doesn't work by TheFakeTimCook · 2018-03-28 03:55 · Score: 1
  
  And where is my new Mac Pro tower?
  Apple said "Modular". They never said "Tower".
It's LINUX's fault. by Anonymous Coward · 2018-03-27 09:14 · Score: 3, Funny

Apple copied stupid command line Linux and that's why they have all of these bugs! If they copied Windows instead, at least we'd be able to play games!
1. Re:It's LINUX's fault. by SurenEnfiajyan · 2018-03-27 09:21 · Score: 1
  
  This has nothing to to with Linux/Unix or command line. It's because Mac OS works only (well) on Apple hardware. FreeBSD based Orbis OS which is used in PS4 is actually a descent gaming OS.
2. Re:It's LINUX's fault. by SurenEnfiajyan · 2018-03-27 09:26 · Score: 2
  
  a descent gaming OS.
  Oh, sorry, I meant decent.
3. Re:It's LINUX's fault. by Anonymous Coward · 2018-03-27 09:57 · Score: 0
  
  No, the original Descent worked on MacOS too.
4. Re:It's LINUX's fault. by Anonymous Coward · 2018-03-29 03:42 · Score: 0
  
  Still trying to figure out how in 1995 I had a 100MHz Power Mac that played Descent smoothly, and in 2018 I have a 2.2GHz Macbook Pro that can't keep up with my typing...
Security Experts by Anonymous Coward · 2018-03-27 09:22 · Score: 0

How do these security experts find this bugs, but Apple overlooks them so easily?
1. Re: Security Experts by Midnight+Thunder · 2018-03-27 10:50 · Score: 1
  
  Security experts have the job of breaking things. Most other people have deliverables, so iterative QA misses this. The ideal situation is having your own internal team trying to break any product when ever they please. Maybe Apple already has a security team dâ(TM)oÃ g exactly this?
  
  --
  Jumpstart the tartan drive.
2. Re:Security Experts by Anonymous Coward · 2018-03-27 12:58 · Score: 0
  
  Simple; apple as a company is incompetent.
3. Re: Security Experts by Anonymous Coward · 2018-03-27 22:20 · Score: 0
  
  All big software companies have quality assurance engineers. I think it's their responsibility to find bugs. But who knows if they are security experts, or just nerdy 18 year olds fresh out of high school.
Apple, please hire me by Snotnose · 2018-03-27 09:24 · Score: 4, Funny

I'm a drunk that's been fired a few times for sexual harassment and spent time in jail for corporate espionage. But I promise you I won't write your supra sekrit keyz to a log file in plaintext.

FFS.
1. Re:Apple, please hire me by Anonymous Coward · 2018-03-28 04:30 · Score: 0
  
  It was NOT written in plaintext. It was actually encrypted with unbreakable XOR One-Time-Pad (OTP) twice! But using the same password, hence the plaintext.
Good idea! by AndyKron · 2018-03-27 09:25 · Score: 1

Good for Apple for doing that. It might come in handy if someone wants a password for something. Disclaimer: I do not own any Apple products.
It's a feature by viperidaenz · 2018-03-27 09:54 · Score: 2

Incase you forget your password, you can find it again so you don't lose your encrypted data!
Good grief, Apple by 93+Escort+Wagon · 2018-03-27 10:01 · Score: 1

I used to joke that all the good coders have left Apple... but maybe it's not a joke after all.

--
#DeleteChrome
1. Re:Good grief, Apple by Anonymous Coward · 2018-03-28 17:11 · Score: 0
  
  It's no joke. They have.
  All the NeXT engineers retired and all they've been left with is dumb silicon valley kids who think agile is actually good, social justice is important within the context of their job and steve jobs never grew past being a controlling jerk who fucks his customers. All wrong.
  Things went to shit right after they stitched up scott forstall with the Apple Maps controversy, the younger engineers fucked the release of it and pinned it on him so he's resign or be fired and then they could have the run of the place, it's been an absolute disaster, under the personal responsibility rule that was used to get rid of forstall, the current guy, whatever the hell is name is, (I don't care enough to learn the names of fools), should be fired as well for the last few years of Apple's software releases.
  They talk about security being a reason to push shit like APFS and lock down the platform, but then they fuck it up in such basic ways that it puts the truth to the lie they just told about it being about security.
2. Re:Good grief, Apple by Anonymous Coward · 2018-03-28 17:13 · Score: 0
  
  Just to explain what I mean by social justice, I don't mean the kind that results in tangible good, I mean mindless, brain dead virtue signalling that does more harm than good...
3. Re:Good grief, Apple by Anonymous Coward · 2018-03-29 05:28 · Score: 0
  
  Oh, you mean actual justice (fixing the problem) rather than fake justice (two-wrongs-make-a-right retribution "fairness" measures)!
Why is it that hard? by Anonymous Coward · 2018-03-27 11:07 · Score: 0

Jesus Christ Apple! What is it that hard. Don't log passwords. Any of them. Never.
1. Re:Why is it that hard? by AHuxley · 2018-03-27 11:23 · Score: 0
  
  Its hard to have all the resulting meetings with the CIA, NSA, FBI and DEA about why their collection stopped.
  
  --
  Domestic spying is now "Benign Information Gathering"
Heh by TimMD909 · 2018-03-27 11:13 · Score: 1

It's been a bad day for Apple on Slashdot...
1. Re:Heh by campuscodi · 2018-03-27 22:35 · Score: 1
  
  Not as bad as Facebook's
Appearances can be deceiving. by Anonymous Coward · 2018-03-27 12:02 · Score: 0

You know how you shouldn't judge a book by its cover? That goes doubly for deciding that because something LOOKS good, that means it probably is. Take everything Apple makes, for example. Very slick-looking products, that turn out to be complete crap with built-in planned obsolescence, designed to cost you a bunch of money up front, a bunch of money to maintain and use, buying proprietary accessories since Apple's idea of "leadership" is to try to find the best way to play nicely with the rest of their industry, then do the exact opposite!!! Then once you're hooked into their goddamned ecosystem, they try to compel you to stay by making sure none of their shit works with anything made by anyone else, which isn't just so it will "work," (for example, USB devices that Apple HAD to adopt because they were simply too popular, but they REFUSE to switch to the inexpensive, superior, and ubiquitous MicroUSB, instead insisting on their own, custom, proprietary "Lightning" bullshit just to oblige you to buy their overpriced cables and accessories, which in turn will help encourage you, when your iPhone or iPad or iPod or iPud or iPuke dies, to replace it with another that works with their accessories. BUT then rather than spend the fortune their stupid users fork over to them (as they have in years passed,) making an at-least halfway-decent product, they now spend it building fancy headquarters buildings, paying their executives obscene pay and benefits, and treating you like the moron you are for buying their shit. The worst thing anyone can do to you is to try to rope you into using something from Apple. Someone gives you an iPop or iPutz or whatever, that person is NOT your friend. Just saying.

The result here, then, is Apple pushing beta-quality software (if EVEN beta-quality, something with glaring security holes really deserves an alpha designation; it's NOT ready for prime-time,) as if it's a finished product, like something that lets you do stuff as "root" without needing a password, or that you can unlock with a lifted fingerprint, or that lets you execute arbitrary code on their devices, because quality control got outsourced to... the past. They don't do it anymore, apparently, and the result is increasingly expensive, slick-looking shit that you'd be a fool to use, let alone pay good money for. Anyone buying anything from Apple after this deserves what the fuck they get... which is basically a pile of apple-themed shit.
what a terrible piece of shit OS by Anonymous Coward · 2018-03-27 14:07 · Score: 0

How can anyone that is concerned about security use this crap?
Apple security is deliberately back doored by Anonymous Coward · 2018-03-27 14:52 · Score: 0

Apple + goto fail.
Duck Duck Go it.
Bluetooth by Anonymous Coward · 2018-03-28 04:26 · Score: 0

compel you to stay by making sure none of their shit works with anything made by anyone else,

Exactly! Case in point, bluetooth. It is an open standard and should work across devices regardless of brand or model, yet Apple just locks in all their devices to block other non-Apple products from connecting via Bluetooth!!! What a lame move. Encouraging more e-waste.