Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]

by

Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra.

disk utility password prompt

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

Update: Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store. Apple has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating.

The bug has also been fixed in the base version of macOS High Sierra for those who have yet to install the full software update.

Tag: APFS
Related Forum: macOS High Sierra

Popular Stories

M4 Mac Mini Feature

M4 Mac Mini to Become Apple's Smallest Ever Computer With Complete Redesign

Thursday August 8, 2024 8:29 am PDT by
Apple is planning to debut completely redesigned Mac mini models with the M4 and M4 Pro chips later this year, Bloomberg's Mark Gurman reports. The new Mac mini will be the first major design change to the machine since 2010, making it Apple's smallest ever desktop computer. The new Mac mini will apparently approach the size of an Apple TV, but it may be slightly taller than the current...
Read Full Article431 comments
iOS 18 on iPhone Feature

Everything New in iOS 18 Beta 5

Monday August 5, 2024 2:18 pm PDT by
With the fifth beta of iOS 18 that came out today, Apple added some notable new features, even though it's getting later in the beta testing process. There are design updates to the Photos app and a whole new Safari option, along with several smaller changes. Photos App Changes Apple responded to tester feedback about the Photos app, and there have been some changes to streamline the...
Read Full Article39 comments
Generic iOS 18 Public Beta Feature Real Mock

Apple Releases Third iOS 18 and iPadOS 18 Public Betas

Tuesday August 6, 2024 10:07 am PDT by
Apple today provided the third betas of iOS 18 and iPadOS 18 to public beta testers, bringing the new software to the general public. The third public beta comes a week after Apple released the second public beta. Public beta testers who have signed up for Apple's beta testing program can download the iOS 18 and iPadOS 18 updates by opening up the Settings app, going to General, tapping into ...
Read Full Article33 comments
Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Thursday August 8, 2024 4:40 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
Read Full Article164 comments
macos sonoma feature purple green

Apple Releases macOS Sonoma 14.6.1 With Bug Fixes

Wednesday August 7, 2024 10:42 am PDT by
Apple today released macOS Sonoma 14.6.1, a minor update to the macOS Sonoma operating system that Apple launched last year. macOS Sonoma 14.6.1 comes a week after the release of macOS Sonoma 14.6, an update that added security fixes. The macOS Sonoma 14.6.1 update can be downloaded for free on eligible Macs by opening up System Settings and going to the Software Update section. Apple has...
Read Full Article78 comments
maxresdefault

Gurman: M4 MacBook Pro, Mac Mini, and iMac Coming This Year

Monday August 5, 2024 2:29 am PDT by
Apple will update its MacBook Pro, Mac mini, and iMac lines with its latest M4 chip later this year, according to Bloomberg reporter Mark Gurman. Subscribe to the MacRumors YouTube channel for more videos. Writing in his latest Power On newsletter, Gurman said Apple is preparing to upgrade every Mac to the new Apple silicon processor generation. Following the launch of the M4 iPad Pro in May, ...
Read Full Article226 comments

Top Rated Comments

masotime Avatar
masotime
89 months ago
Apple seriously needs to start hiring better QA engineers....
Score: 49 Votes (Like | Disagree)
IPPlanMan Avatar
IPPlanMan
89 months ago
But we need to have animated emoji faces...
Score: 26 Votes (Like | Disagree)
MasterMac Avatar
MasterMac
89 months ago
Does showing the password itself as the hint count as a password hint? ;)
Score: 23 Votes (Like | Disagree)
Frosties Avatar
Frosties
89 months ago
Thank you for the laugh. Great alpha software.
Score: 20 Votes (Like | Disagree)
smaffei Avatar
smaffei
89 months ago
Apple seriously needs to start hiring better QA engineers....
Yes, there some HUGE problems with Apple QA these days.

iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.
Score: 18 Votes (Like | Disagree)
RMo Avatar
RMo
89 months ago
To be clear, the linked Twitter thread ('https://twitter.com/felix_schwarz/status/915851372217683970/video/1') suggests that this is a Disk Utility bug, where if you create a password-protected volume in Disk Utility it inadvertently sets the hint to the password itself. It's not a bug that allows the password itself to be uncovered via other means, which is what I originally thought this meant and which was surprising to me since the only way to do that should be computationally expensive brute-force methods (the data itself is encrypted with the password; it's not just artificially protected by one, and it shouldn't be possible to "reverse lookup" the password by any true means).
Score: 17 Votes (Like | Disagree)
Read All Comments