Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]

[tkermit]

It seemed to affect only some of my volumes. As a first task I made sure to clear all my password hints. Hopefully this will already suffice. I.e. find out the volume identifier of affected disks, disk3s2 in this case, and run:

diskutil apfs setPassphraseHint disk3s2 -user disk -clear

 

[cppguy]

It makes me angry when they're not testing absolutely standard scenario like this. They haven't even tried the software once! Not even to see if it works. It's like no QA at all. I understand complex bugs can be missed, but not testing basic features is why I trust Apple less and less every year.

 

[belvdr]

More than an disk utility bug. Both the hint and password should be encrypted before being stored with separate keys. This prevents a piece of code from getting the hint in clear text. The key to decrypt the hint should be something else the user has to know.

A hint for the hint? Encrypting the hint seems excessive; the hint should help the user remember, not help others to decipher.

It is just a bug in Disk Utility; it doesn't happen when using the Terminal.

Hopefully not the first of many issues with APFS. But it is a new File system so expect some issues.

And not an APFS issue either.

 

[Jmacca]

If you create a encrypted image in Disk Utility without a password hint, it works as before. No problems!

 

[Macula]

Did Apple hire some ex-Windows programmers?

I'm afraid it's the other way around, Windows hired Apple's ex-.

 

[BornAgainMac]

Somewhere in the world, this may have actually helped someone out that forgot their password.

 

[truethug]

Yes, there some HUGE problems with Apple QA these days.

iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.

I have seen both of these iOS 11 bugs today on iOS 11.1

 

[jclardy]

Well, that seems like a bug that should've been caught by an automated test.

 

[blackcrayon]

If you create a encrypted image in Disk Utility without a password hint, it works as before. No problems!

Of course. If you don't create a hint, it has nothing to try to display.

(I guess it's possible it could've been so broken that it created a hint anyway with your password text )

 

[ArtOfWarfare]

Interesting thing is that if there is no password hint this will not happen? (Based off the article)

I'm going to guess this is because there's a function that takes positional arguments instead of named arguments that look something like this:

encrypt(String volume, String hint, String password)
encrypt(String volume, String password)

And someone instead called it with

if (hint) {
    encrypt(volume, password, hint);  // The bug is here, should have been hint then password
else {
    encrypt(volume, password);
}

Although... in that case, I'd think you'd have to actually enter your hint to decrypt instead of your password...

Edit: Somebody decompiled the patch and found the actual bug. You can read their full post here:
https://cocoaengineering.com/2017/1...ng-macos-high-sierra-supplemental-update/amp/

But basically the bug is this:

optionsDictionary[kSKAPFSDiskPasswordOption] = password;
optionsDictionary[kSKAPFSDiskPasswordHintOption] = password;

Somebody copy and pasted the first line of code and correctly changed the key being set, but not the value being set.

I'd say the issue is that they're working in a crappy, extraordinarily verbose language. I consider copy and paste when programming to be a sin. There's some abstraction that is being left out.

Credit to rshrugged for sharing that blog post with me here:
https://forums.macrumors.com/thread...ain-text-updated.2075405/page-7#post-25197367

 

[jonnysods]

I have to say that's a pretty strong hint. Shouldn't be too hard to remember your password when its there plain as day...!

 

[ApfelKuchen]

I also see all the usual critics here, to tell us that it's the end of the world.

I know, there's a tendency for people to want to live within the bubble of a single viewpoint. It's very comforting to have the illusion that you're part of a huge majority. However, if we're to have something resembling a free society, there has to be something more than a single point of view. We need to be exposed to different viewpoints.

 

[Soba]

My vote is for Apple to stop thinking they have to release a new OS every single year. How about 2 years since that’s about how long it takes for a new OS to be relatively (I said relatively) bug-free and stable.

I do not understand why they launch everything all at one time. It's not only excessive and unnecessary, but they would probably net more publicity if they spaced things out.

After the very public MobileMe launch failure in 2008, Steve Jobs angrily chewed out the team, but later issued a mea culpa.

"'It was a mistake to launch MobileMe at the same time as iPhone 3G, iPhone 2.0 software and the App Store,' Jobs writes in an email to Apple employees. 'We all had more than enough to do, and MobileMe could have been delayed without consequence.'"

https://www.cultofmac.com/495868/today-in-apple-history-steve-jobs-acknowledges-mobileme-failure/

"We all had more than enough to do." Trying to polish and debug two highly complex OSes while prepping multiple hardware launches is insane.

 

[adrianlondon]

I have to say that's a pretty strong hint. Shouldn't be too hard to remember your password when its there plain as day...!

And if one did still forget, just watch your youtube video of it being set!

 

[JosephAW]

Apple calls this "A Feature!"
I wonder if this exists in iOS 11?
Shhhhh, don't let the govmnt know about this.

 

[Amazing Iceman]

Apple seriously needs to start hiring better QA engineers....

QA Engineers? It's us!

 

[weup togo]

QA engineers are brain dead. They would never catch something like this to begin with. They need more security engineers (not the highschool ones with the CERTs but CS/CE with a security background).

You have obviously never been involved in professional QA. This is precisely the sort of scenario that proper QA would map out. A bug like this is far more likely to be found by a QA guy than a Security Expert, because it's just straight workflow and expected vs. actual results.

 

[sbailey4]

Obviously not. Seems none of the beta testers (including developers and public beta testers) bothered to try this or report an issue.

You assume it was not reported rather than Apple just simply didn't address it yet? Same with iOS 11.0. Issues reported multiple times from beta 1-10 and same issues still exist in 11.0 release, 11.0.1, 11.0.2 and 11.1 beta 1.

 

[SoyCapitanSoyCapitan]

Brazilian software developer Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the passwords of encrypted Apple File System volumes in plain text in Disk Utility.

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint​

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below​

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.

Tried myself & it's true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9— Felix Schwarz (@felix_schwarz) October 5, 2017​

The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

(Thanks, Marcus!)

Article Link: New macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text

Incredible how billions of dollars and years of development results in this

 

[gweedo]

Yes, there some HUGE problems with Apple QA these days.

iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.

I wonder if any of this is tied to rewriting applications and utilities to use swift? That is not a small change, and effectively starts over the entire testing/debugging process for an app.

 

[weup togo]

I do not understand why they launch everything all at one time. It's not only excessive and unnecessary, but they would probably net more publicity if they spaced things out.

After the very public MobileMe launch failure in 2008, Steve Jobs angrily chewed out the team, but later issued a mea culpa.

"'It was a mistake to launch MobileMe at the same time as iPhone 3G, iPhone 2.0 software and the App Store,' Jobs writes in an email to Apple employees. 'We all had more than enough to do, and MobileMe could have been delayed without consequence.'"

https://www.cultofmac.com/495868/today-in-apple-history-steve-jobs-acknowledges-mobileme-failure/

"We all had more than enough to do." Trying to polish and debug two highly complex OSes while prepping multiple hardware launches is insane.

Two reasons:
1) There are always a ton of Major security issues resolved in common code across both OSes. Releasing at different times would involve either qualifying what are often signficant architectural changes for both 10.12 and a later 10.13, or else permitting a patch gap where attackers reverse-engineer the fixes in iOS to craft exploits against macOS.

2) There are frequently cross-platform features like iCloud and AirDrop that require lock-step changes, often in server-side components. There have been releases in the past where certain features DID NOT WORK on all of your devices until you had updated every one of them to the new major update.

The second is sometimes an issue depending on the OS feature set. The first is always an issue for every single release. These are not easy choices.

 

[kemal]

It's not the mistake but how you deal with it. This time it IS the mistake. The fik should be out in minutes, too.

 

[MrGuder]

I won't be upgrading until I hear less and less of these High Sierra critical vuneralbilities.

 

[randyhudson]

Macrumors seems to be using the same QA team as Apple.

If MR knew even the basics of file system encryption, they would know that encrypted Apple File System volumes do not contain the password, neither in its original form or a form that can be [easily] reverted to the original. All that has happened here is disk utility is storing the password as the hint.

This is a bug in one application, not a vulnerability in the OS.

 

[Applebot1]

I agree with all about Quality control especially since it takes Apple forever to release anything.

You pay a premium for Apple products so expect premium standards.

Simply not good enough ...Tim