Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

macOS High Sierra Leaks APFS Volume Passwords via Hint

A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.

A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.

APFS is a new file system introduced by Apple with macOS High Sierra. When High Sierra is installed on a computer with a solid-state drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS promises strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.

Developer Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password and, optionally, write a hint for it.

When the new volume is mounted, the user is asked to enter the password. However, Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. The password is not disclosed if no information is entered into the “Password hint” field when creating a new volume, although Apple recommends adding a hint.

“I really don’t know how this went unnoticed by Apple (and anyone else),” Mariano said.

SecurityWeek can confirm that the password for encrypted APFS volumes is leaked via the password hint on High Sierra.

APFS password leak via hint

macOS developer Felix Schwarz pointed out that users who have set a hint via the Disk Utility can address the issue by changing the hint using the diskutil command line utility.

Mariano said he reported the issue to Apple before making his findings public. He also published a video showing the vulnerability:

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

This is not the first security hole discovered by researchers in High Sierra. Patrick Wardle, director of research at Synack, reported last month that unsigned apps can steal passwords from the macOS keychain, and that Apple’s new Secure Kernel Extension Loading (SKEL) security feature can be easily bypassed.

UPDATE. Apple told SecurityWeek that an update released on Thursday, October 5, for High Sierra addresses both the APFS password disclosure issue and the keychain vulnerability reported by Wardle.

The company has also published a knowledge base article that provides more guidance to users on the password disclosure bug.

Related: Mac Firmware Updates Are Failing and Leaving Systems Vulnerable

Related: Apple Patches Vulnerabilities in macOS, macOS Server

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.