Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 5, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra.

    [​IMG]
    MacRumors confirmed our test password "dontdisplaythis" appeared as the hint

    Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

    A second video with English system language is embedded below

    MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
    Tried myself & it's true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9— Felix Schwarz (@felix_schwarz) October 5, 2017
    The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

    For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

    Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

    Update: Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store. Apple has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating.

    The bug has also been fixed in the base version of macOS High Sierra for those who have yet to install the full software update.

    Article Link: Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]
     
  2. masotime macrumors 68000

    masotime

    Joined:
    Jun 24, 2012
    Location:
    San Jose, CA
    #2
    Apple seriously needs to start hiring better QA engineers....
     
  3. codewrangler macrumors member

    codewrangler

    Joined:
    Jun 17, 2009
    Location:
    Dallas, TX
  4. 840quadra Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Twin Cities Minnesota
    #4
    This appears to be fairly critical, and hopefully addressed extremely quickly. Curious to see others test / report on this as well.
     
  5. ruchern macrumors regular

    Joined:
    Jun 2, 2017
    Location:
    Singapore
    #5
    Interesting thing is that if there is no password hint this will not happen? (Based off the article)
     
  6. dwsolberg macrumors 6502a

    Joined:
    Dec 17, 2003
    #6
    Easy developer mistake, but seems like it should have been very easy to test, too.

    I realize that running a huge company must be difficult, but it's really surprising that Apple doesn't have the resources to test these things, especially because they are trying to stake a claim on privacy, and security is an essential ingredient.

    ---

    For some things, I think I trust Google more because they seem more likely to share marketing information about me, but a lot less likely to accidentally divulge all my saved information.
     
  7. Frosties macrumors 6502a

    Frosties

    Joined:
    Jun 12, 2009
    Location:
    Sweden
  8. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #8
    First fusion drives have problems with high Sierra, a cheap hybrid drive that shoulda never been made standard for retina iMacs considering their price tag, NOW this!

    So glad I dual boot Sierra and high Sierra (on a smaller partition) on my 13" nTB

    I simply don't trust apple thoroughly tests stuff and/or cares
     
  9. ikjadoon macrumors newbie

    ikjadoon

    Joined:
    Mar 5, 2017
    #9
    Oh, ouch. Ouch. Ouch. That's scary to see your password displayed brightly and perfectly on your screen unexpectedly.

    Nope nope nope.
     
  10. MasterMac macrumors regular

    Joined:
    Jun 17, 2003
    #10
    Does showing the password itself as the hint count as a password hint? ;)
     
  11. madmin macrumors member

    Joined:
    Jun 14, 2012
    #11
    First the macOS keychain hack, now this. Whatever next ? Please sort it out sharpish.
     
  12. RMo macrumors 65816

    RMo

    Joined:
    Aug 7, 2007
    Location:
    Iowa, USA
    #12
    To be clear, the linked Twitter thread suggests that this is a Disk Utility bug, where if you create a password-protected volume in Disk Utility it inadvertently sets the hint to the password itself. It's not a bug that allows the password itself to be uncovered via other means, which is what I originally thought this meant and which was surprising to me since the only way to do that should be computationally expensive brute-force methods (the data itself is encrypted with the password; it's not just artificially protected by one, and it shouldn't be possible to "reverse lookup" the password by any true means).
     
  13. IPPlanMan macrumors regular

    Joined:
    Dec 25, 2009
  14. AppleFan360 macrumors 68020

    Joined:
    Jan 26, 2008
    #14
    Wow! Obvious mistake in coding. Should be an easy fix but can't believe it was missed. Shame on Apple for that one.
     
  15. maverick2007 macrumors member

    Joined:
    Sep 18, 2014
    #15
    Perhaps better CEO! I think i will lose my credit card and bank details soon.
     
  16. thobie macrumors member

    Joined:
    Oct 21, 2009
    #16
    How the **** can the password be stored as a plain text without encryption? Or is the problem the AFS volume generator storing the password string also as a hint string? Otherwise if you can decrypt the password string without even entering the password itself is... interesting safety politics.
     
  17. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #17
    This, the keychain vulnerability... Jesus Apple!
     
  18. smaffei macrumors regular

    Joined:
    Jun 5, 2003
    #18
    Yes, there some HUGE problems with Apple QA these days.

    iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

    I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.
     
  19. guitarman777 macrumors regular

    guitarman777

    Joined:
    Sep 15, 2005
    Location:
    Orlando, FL
    #19
    This is why having the user community helping beta test software & OS releases is so important. Also glad to see people using their skills to help improve systems rather than exploitation and wreaking havoc.
     
  20. Dave-Z macrumors 6502

    Joined:
    Jun 26, 2012
    #20
    Unbelievable. I am completely nonplussed.
     
  21. jdillings macrumors 65816

    Joined:
    Jun 21, 2015
  22. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #22
    That's a very good point, although I don't know many people using Terminal to create volumes on macOS, so the impact can be large.
    The problem is Disk Utility is setting the hint to the password itself. It's a bug in Disk Utility, not APFS.

    @840quadra : It would be wise to update the article. Here's a link to a tweet showing that creating the APFS-encrypted volume via Terminal is not susceptible to this bug in Disk Utility:

    https://twitter.com/felix_schwarz/status/915857500330700801
     
  23. uhaas macrumors 6502

    uhaas

    Joined:
    Aug 31, 2012
    Location:
    Twin Cities, MN
    #23
    I'm not seeing beta report actually getting addressed.
     
  24. Chupa Chupa macrumors G5

    Chupa Chupa

    Joined:
    Jul 16, 2002
    #24
    Big picture -- exposing an encrypted password isn't a huge deal for Apple. The big focus on its engineers has to be ensuring that Animojis work out of the box. /sarc
     
  25. cult hero macrumors 6502a

    cult hero

    Joined:
    Jun 6, 2005
    #25
    I’m gonna have to confirm that. I’ll feel a lot better if that’s the case.

    Pretty big oops either way. Better get patched yesterday.
     

Share This Page