Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
How do you know it's a bug?
What if this always existed in some obscure command form that no one would ever do, save for those that know about it?
Just sayin'
What if this always existed in some obscure command form that no one would ever do, save for those that know about it?
Just sayin'
It really seems like the 2017 releases are among the worst Apple has ever had. Flagship feature on the new Watch? Practically DOA, to the point that they wouldn't even sell them in stores until they fixed it. Can't use Outlook accounts in iOS. Key third party apps on the Mac? Totally boned. Can't format blank disks. Your data's root password handed out like candy.
Just a completely joke from start to finish.
Just a completely joke from start to finish.
Especially in the macOS space. A platform many use for their work not just to check instagram and Facebook
Intel has been moving at snail like pace for many years, and redesigns only come about once every 4 years or so.
But even iOS I think major updates, that don't offer tons of features butnopen the door to hindered experience and lots of bugs, don't need to be pegged to yearly cadences
People are way more excited to get new gear than a new control center
Too bad "courage" only extended to removing the headphone jack and not disrupting stockholders timeline expectations. Timmy doesn't have the courage for that
Animoji are an iOS feature. They were most likely developed by a programmer killing some time while waiting for a build or blowing off some steam. The majority of the heavy lifting was there anyway because of FaceID. It's literally a skin to the 3D mesh used for authentication. A manager probably saw it and said "Hey, that's kinda cool. Why don't we put it in as a neat trick?" Disk Utility is part of macOS. It's part of a different (albeit related) product. Taking developer away from Animoji to focus on a completely different product would likely cause resentment and not solve anything.
Any bets when Apple will acknowledge this problem and issue a High Sierra update? I say NLT next Wednesday, the 11th. Chime in crystal ball gazers!
Oops. Something this obvious made it past all the alpha and beta testing? Is any real testing actually being done, or have software testing tools become so automated that things which are unimportant to a machine (doesn't cause a crash or a buffer overflow) but are important to people being completely overlooked?
QA engineers are brain dead. They would never catch something like this to begin with. They need more security engineers (not the highschool ones with the CERTs but CS/CE with a security background).
You can't extrapolate that from what happened. All you can extrapolate is that either no one reported it or that it was reported but not fixed.
While this is easily fixed, the bigger picture is hackers might be able to just archive this version of Disk Utility and use it into perpetuity to unlock any encrypted drive in the future. Apple actually needs to change the encryption/password mechanism, which has all sorts of compatibility issues. This is a bigger deal than I think people even realize.
Has anyone verified this is only on AFPS volumes? If standard HFS volumes act the same way, this is a huge problem, as they would all have to re-encrypted.
Has anyone verified this is only on AFPS volumes? If standard HFS volumes act the same way, this is a huge problem, as they would all have to re-encrypted.
Last edited:
I'm not saying move Employee A from Animoji or whatever to work on Disk Utility. I'm saying Add (new) Employee C to Employee B who was working on Disk Utility anyway. Or add to internal testing. Or both. They can afford it.
TBF, is it safe to blame QA? I know in some places, they get overruled by management even though they tell them that a release ain't ready yet.
It would be cool if trivia night offered the answer to a question when we ask for a hintDoes showing the password itself as the hint count as a password hint?
Does showing the password itself as the hint count as a password hint?
Exactly, I don't get what all the fuss is about. It does exactly what password hints usually do:
- Provide information so you can recall the password
- Weaken security
Hopefully not the first of many issues with APFS. But it is a new File system so expect some issues.
In other words this person could well be a hacker as it is only hackers who go searching for such exploits.
No denial it is serious but do not lose sight of the bigger picture. macOS is far more secure than Windows will ever be.
The only platform more secure than macOS is Linux and hackers go searching for exploits there too.
I’m not at my machine right now - would be interesting to see if the bug shows itself when logged in as a separate user.
It’s a bug. Should have been caught. It wasn’t.
On the grand scheme of things this isn’t a dealbreaker.
It’ll get sorted. I’m pleased they took a good look at Disk Utility.
F
It’s a bug. Should have been caught. It wasn’t.
On the grand scheme of things this isn’t a dealbreaker.
It’ll get sorted. I’m pleased they took a good look at Disk Utility.
F
Holy ****, why in gods name is it storing the password in plain text?
And for anyone who is saying it doesn't affect many users, not a big deal, bugs happen, blah blah blah: ****. You would be crucifying Google or Microsoft if they did this, and rightfully so. Take off the Apple colored glasses and stop making excuses for them, because there is not a single excuse in the world that can make this okay.
And for anyone who is saying it doesn't affect many users, not a big deal, bugs happen, blah blah blah: ****. You would be crucifying Google or Microsoft if they did this, and rightfully so. Take off the Apple colored glasses and stop making excuses for them, because there is not a single excuse in the world that can make this okay.
Nope.
When you create an encrypted volume with a password and a hint, two "store text" functions are called.
One takes the *password* and does all the nifty encryption stuff to make sure it can't be recovered (and uses it to generate a key or key pair for the actual encryption, etc).
The other one takes the *hint* and stores it as plaintext somewhere so it can be displayed when attempting to decrypt the volume.
Someone made a copy-pasta error (or similar) and accidentally made the "store hint" function store the contents of the password box instead of the hint box.
No huge "all encrypted drives have their password stored as plaintext/Apple sux at crypto" issue here.
A very, very simple mistake, with very, very big consequences for a very small number of people.
It *only* affects people who create an encrypted volume with a hint using Disk Util. It doesn't affect the standard full disk encryption, or volumes created by the command line utility.
Get computer security right is a tough problem. Even so called "security experts" get it wrong every day. Things we thought made sense, such as password expiration times, turn out to be themselves major causes of security issues. Same with requiring "strong" password with Upper lower case, special characters, etc.
[doublepost=1507221200][/doublepost]
That is what the article says.