macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text [UPDATE: Fixed]

Apple, you have a problem. And it’s a big one. A guy named Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the passwords of encrypted Apple File System volumes in plain text in Disk Utility. The article that I linked to will walk you through how to reproduce it and the fact that is trivially easy to reproduce shows that Apple truly dropped the ball here. I say that because this is a bug, and this sort of bug that should never, ever make it out the door. It should have been caught by Apple’s QA department. But clearly that didn’t happen and here we are talking about it.

Now the bug has been reported to Apple, thus I wonder how long they will take to fix something this serious. If they were smart, they’d fix this ASAP if they value their credibility.

UPDATE: This appears to have just been fixed via the release of a update from Apple. High Sierra users should run to Software Update to get this fix. There is also a support document that has been posted that discusses this issue. That I have to say is insanely quick work by Apple.

UPDATE #2: Another issue has been fixed in this update.  The issue where someone could steal the usernames and passwords of accounts stored in Keychain using a malicious third-party app has been fixed as well. This document has more details and confirms the fix for the APFS issue.


2 Responses to “macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text [UPDATE: Fixed]”

  1. […] there was a zero day bug that was discovered that allowed for password theft. Shortly after that another horrible security hole that Apple had to quickly patch appeared. Both of these flaws should have been caught in […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: