Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
I would say relying on the user community to beta test software is a problem; there's no accountability. A paid QA department can be hung out to dry for missing bugs such as these.
Exactly this. The reason why this could be missed because not many would be doing this and this is not a normal behaviour of an average consumer usage. And for those who mentioned that the QA testers are bad, do you even unmount, mount, unmount then mount your APFS container on a standard basis?
Yeah because the engineers that took a couple of hours to skin an authentication framework are the same ones working on Disk Utility. Great critical thinking there, champ.
This is clearly not merely a bug in Disk Utility itself - if a password is encrypted, then NO PROGRAM CAN EVER DISPLAY IT - all you can do is encrypt a user given password and compare to see if the encrypted versions match. The fact that Disk Utility COULD show the password means it was NOT ENCRYPTED. (Or else stored somewhere, or the NSA demanded a back door or something.)
Disk Utility has actually revealed a core security issue here!
Disk Utility has actually revealed a core security issue here!
“OMFG!!! It’s been 10 days since they shipped a brand new OS, and there’s a BUG or two!!!”
It’s almost like y’all have never used software before.
It’s almost like y’all have never used software before.
Yeah, Apple should have just put in a larger SSD and kept the hard drive separate. That's how I have my MacBook Pro's two drives set up - separate.
Dangerous, but amusing.
Maybe sack a few people from the carpool karaoke team and hire some QA peeps.
Maybe sack a few people from the carpool karaoke team and hire some QA peeps.
FWIW, I do this, but I do it specifically because I don't want to dedicate entire volumes just to have encrypted sandboxes. So instead I make encrypted disk images, but the downside is every time I reboot I have to remount them all manually. It's a pain, but full disk encryption didn't work on my Mac, so it wasn't even an option. (But I'm using Sierra, not APFS on High Sierra).
Craig is too busy testing his eyebrows on the new iPhone X to worry about QA on Qperating Systems...
Yeah that was a much more sound approach too back when I had a non retina 13" and gutted the SuperDrive for a SSD in its place
OS+apps for SSD
Cold data for spinning drive
Don't leave it up to fusion tech to intelligently learn what's most accessed
Isn’t Apple paying for bugs now? Sure you can blame Apple QA, but what kind of lame, unmotivated beta users are testing these OS?
Seriously missed $ opportunity for a lot of these armchair coders.
Seriously missed $ opportunity for a lot of these armchair coders.
Omg...do they actually display the plaintext password instead of the hint ? This is too dumb even for a 15 year old developer.
The first public release of a new version of the OS is always buggy. Apps don't work. Vulnerabilities exist.
Years ago I learned, the hard way, to wait for the first or second update of the OS before I switched over.
Maybe by January it will be time to upgrade to High Sierra?
Years ago I learned, the hard way, to wait for the first or second update of the OS before I switched over.
Maybe by January it will be time to upgrade to High Sierra?
No need to release new OS every year. Better release them once 2 years with better QA testing.
Oops! Well this is bad.
For people asking 'does this really affect many people?' - well, so what it doesn't affect a huge percentage of users? If you are affected the consequences are potentially very very bad.
And more than that, it speaks to a worrying impression that Apple may not be paying enough attention to security, unlike the image they like to project. A few bugs are to be expected in a major new OS version, of course, but security-related bugs should be seen as the worst - the most embarrassing - the most important to iron out before public release. Because security vulnerabilities are not just inconvenient bugs, they can have much more serious consequences.
Yeah, but come on... resources are resources... at the end of the day when something this ridiculous happens it's not unreasonable for people to question some of Apple's priorities and/or allocation of resources and focus. If they hired more people to concentrate on security and testing so things like this didn't happen, and we had to wait a little longer for more emoji and other less critical features (however fun for users), would that be a bad thing?
For people asking 'does this really affect many people?' - well, so what it doesn't affect a huge percentage of users? If you are affected the consequences are potentially very very bad.
And more than that, it speaks to a worrying impression that Apple may not be paying enough attention to security, unlike the image they like to project. A few bugs are to be expected in a major new OS version, of course, but security-related bugs should be seen as the worst - the most embarrassing - the most important to iron out before public release. Because security vulnerabilities are not just inconvenient bugs, they can have much more serious consequences.
Yeah, but come on... resources are resources... at the end of the day when something this ridiculous happens it's not unreasonable for people to question some of Apple's priorities and/or allocation of resources and focus. If they hired more people to concentrate on security and testing so things like this didn't happen, and we had to wait a little longer for more emoji and other less critical features (however fun for users), would that be a bad thing?
Last edited:
I just confirmed —
This does NOT affect the start-up volume in Recovery Mode. That was my biggest concern. There is no hint set for the start-up volume, at least by default.
This does NOT affect the start-up volume in Recovery Mode. That was my biggest concern. There is no hint set for the start-up volume, at least by default.
Actually, this bug is one that should have been caught by Apple. But I agree that beta testing by end users is great. But Apple needs to have a more close to finished product before you can have effective beta testing. For iOS 11 and High Sierra too much was being changed or fixed late in the development cycle. Ideally you’d have a very close to finished product that is good enough for people to use on the devices they need and use daily. You’d let them test that for several weeks or a month.
It is in fact a Disk Utility issue. Disk Utility is storing the password and displaying it incorrectly.
To prove that it's Disk Utility causing this issue, follow the steps outlined in this article but before re-mounting the container, quit and then re-launch Disk Utility. The container and password hint will function as they should.
This proves it is in fact Disk Utility misfunctioning and not a larger issue as you claim.
Well the engineers might not be the same. But given the attention Craig Federighi and Tim Cook give to getting the Animoji right while not caring for security in macOS is really deplorable!