Apple just released a supplemental update for the recently launched macOS High Sierra 10.13 operating system to address various bug fixes, including a potential vulnerability that leaks a user’s password. A developer from Brazil discovered the flaw in High Sierra, which features a new file system called Apple File System (APFS). Users who have installed the latest High Sierra version are advised to patch to prevent potential compromise on their operating systems.
Affecting Macs with a solid-state drive (SSD), High Sierra leaks passwords for encrypted APFS volumes through the password hint. APFS is the default file system in macOS High Sierra for Mac computers with all-flash storage. When macOS High Sierra is installed on the Mac volume of an SSD or any other all-flash storage device, that volume is automatically converted to APFS. While APFS is described to feature strong encryption and improved file system fundamentals, it was apparently not big on protecting user passwords.
Developer Matheus Mariano found out that the password leakage happens after using the Disk Utility to add a new encrypted APFS volume to the container. Whenever a new APFS volume is added, users are asked to enter a password and, optionally, write a hint for it.
Upon mounting the new volume, the user will be asked to enter the password. This is the part where Mariano noticed that when the Show Hint button is clicked, it displays the actual password set by the user and not the hint. No password will be shown if the user did not provide a password hint when creating a new volume.
How to protect the encrypted APFS volume
For those who see their password instead of a password hint for an encrypted APFS volume, Apple provides a step by step process:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.