Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

macOS High Sierra Leaks APFS Volume Passwords via Hint

A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.

A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.

APFS is a new file system introduced by Apple with macOS High Sierra. When High Sierra is installed on a computer with a solid-state drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS promises strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.

Developer Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password and, optionally, write a hint for it.

When the new volume is mounted, the user is asked to enter the password. However, Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. The password is not disclosed if no information is entered into the “Password hint” field when creating a new volume, although Apple recommends adding a hint.

“I really don’t know how this went unnoticed by Apple (and anyone else),” Mariano said.

SecurityWeek can confirm that the password for encrypted APFS volumes is leaked via the password hint on High Sierra.

APFS password leak via hint

macOS developer Felix Schwarz pointed out that users who have set a hint via the Disk Utility can address the issue by changing the hint using the diskutil command line utility.

Mariano said he reported the issue to Apple before making his findings public. He also published a video showing the vulnerability:

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

This is not the first security hole discovered by researchers in High Sierra. Patrick Wardle, director of research at Synack, reported last month that unsigned apps can steal passwords from the macOS keychain, and that Apple’s new Secure Kernel Extension Loading (SKEL) security feature can be easily bypassed.

UPDATE. Apple told SecurityWeek that an update released on Thursday, October 5, for High Sierra addresses both the APFS password disclosure issue and the keychain vulnerability reported by Wardle.

The company has also published a knowledge base article that provides more guidance to users on the password disclosure bug.

Related: Mac Firmware Updates Are Failing and Leaving Systems Vulnerable

Related: Apple Patches Vulnerabilities in macOS, macOS Server

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...