Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]

by

Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra.

disk utility password prompt

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

Update: Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store. Apple has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating.

The bug has also been fixed in the base version of macOS High Sierra for those who have yet to install the full software update.

Tag: APFS
Related Forum: macOS High Sierra

Popular Stories

airpods pro 3 purple

New, Higher End AirPods Pro Coming This Year

Tuesday January 20, 2026 9:05 am PST by
Apple is planning to debut a high-end secondary version of AirPods Pro 3 this year, sitting in the lineup alongside the current model, reports suggest. Back in September 2025, supply chain analyst Ming-Chi Kuo reported that Apple is planning to introduce a successor to the AirPods Pro 3 in 2026. This would be somewhat unusual since Apple normally waits around three years to make major...
Read Full Article107 comments
smaller dynamic island iphone 18 pro Filip Vabrous%CC%8Cek

iPhone 18 Pro Leak: Smaller Dynamic Island, No Top-Left Camera Cutout

Tuesday January 20, 2026 2:34 am PST by
Over the last few months, rumors around the iPhone 18 Pro's front-panel design have been conflicted, with some supply-chain leaks pointing to under-display Face ID, reports suggesting a top-left hole-punch camera, and debate over whether the familiar Dynamic Island will shrink, shift, or disappear entirely. Today, Weibo-based leaker Instant Digital shared new details that appear to clarify the ...
Read Full Article57 comments
iOS 27 Mock Quick

iOS 27 Will Add These 8 New Features to Your iPhone

Sunday January 18, 2026 3:51 pm PST by
iOS 27 is still many months away, but there are already plenty of rumors about new features that will be included in the software update. The first beta of iOS 27 will be released during WWDC 2026 in June, and the update should be released to all users with a compatible iPhone in September. Bloomberg's Mark Gurman said that iOS 27 will be similar to Mac OS X Snow Leopard, in the sense...
Read Full Article107 comments
14 inch MacBook Pro Keyboard

MacBook Pro Buyers Now Facing Up to a Two-Month Wait Ahead of New Models

Sunday January 18, 2026 6:50 pm PST by
MacBook Pro availability is tightening on Apple's online store, with select configurations facing up to a two-month delivery timeframe in the United States. A few 14-inch and 16-inch MacBook Pro configurations with an M4 Pro chip are not facing any shipping delay, but estimated delivery dates for many configurations with an M4 Max chip range from February 6 to February 24 or even later. At...
Read Full Article87 comments
Apple Logo Spotlight

Apple Expected to Unveil Five All-New Products This Year

Wednesday January 21, 2026 10:54 am PST by
In addition to updating many of its existing products, Apple is expected to unveil five all-new products this year, including a smart home hub, a Face ID doorbell, a MacBook with an A18 Pro chip, a foldable iPhone, and augmented reality glasses. Below, we have recapped rumored features for each product. Smart Home Hub Apple home hub (concept) Apple's long-rumored smart home hub should...
Read Full Article63 comments

Top Rated Comments

masotime Avatar
masotime
108 months ago
Apple seriously needs to start hiring better QA engineers....
Score: 49 Votes (Like | Disagree)
IPPlanMan Avatar
IPPlanMan
108 months ago
But we need to have animated emoji faces...
Score: 26 Votes (Like | Disagree)
MasterMac Avatar
MasterMac
108 months ago
Does showing the password itself as the hint count as a password hint? ;)
Score: 23 Votes (Like | Disagree)
Frosties Avatar
Frosties
108 months ago
Thank you for the laugh. Great alpha software.
Score: 20 Votes (Like | Disagree)
smaffei Avatar
smaffei
108 months ago
Apple seriously needs to start hiring better QA engineers....
Yes, there some HUGE problems with Apple QA these days.

iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.
Score: 18 Votes (Like | Disagree)
RMo Avatar
RMo
108 months ago
To be clear, the linked Twitter thread ('https://twitter.com/felix_schwarz/status/915851372217683970/video/1') suggests that this is a Disk Utility bug, where if you create a password-protected volume in Disk Utility it inadvertently sets the hint to the password itself. It's not a bug that allows the password itself to be uncovered via other means, which is what I originally thought this meant and which was surprising to me since the only way to do that should be computationally expensive brute-force methods (the data itself is encrypted with the password; it's not just artificially protected by one, and it shouldn't be possible to "reverse lookup" the password by any true means).
Score: 17 Votes (Like | Disagree)
Read All Comments