The issue, found in macOS High Sierra, meant that users were shown the volume’s password when they requested a password hint
The issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.
Plaintext passwords displayed
The issue was caused by a problem with macOS’ Disk Utility that meant that if a password hint was set when creating an APFS encrypted volume, the utility mistakenly stored the password as the hint, Apple said.
The macOS High Sierra 10.13 Supplemental Update, published only days after the operating system version’s initial release on 25 September, fixes the issue by clearing passwords that were stored as hints and addressing the logic issue that caused the problem, according to Apple.
Only APFS encrypted volumes created using Disk Utility are affected.
But changing the passwords of affected volumes isn’t enough, according to Apple.
“Changing the password on an affected volume clears the hint but doesn’t affect the underlying encryption keys that protect the data,” it said in a support document.
Volumes must be restored
As a result the company advised users to back up the data on affected volumes, then erase and restore them. It provided instructions for doing so in the support document.
In addition to applying the update and restoring the exposed volumes Apple said if the exposed passwords were used on other services they should be changed on those sites.
The issue was reported to Apple by Brazilian developer Matheus Mariano, who produced an online video demonstrating how easy it was to exploit the flaw.
“I do not recommend you to update (to macOS High Sierra) before Apple solves this problem,” Mariano wrote.
Security researcher Graham Cluley praised Apple for producing its patch quickly, but said the problem raised questions about Apple’s security processes.
“Its responsiveness in addressing this issue should be applauded,” Cluley wrote in a research note. “However, that doesn’t change the fact that such a serious bug like this really should have been intercepted during its quality control process, rather than allowed to ship to millions of computers around the world.”
The update also addressed a flaw that could have allowed attackers to bypass the prompt macOS requires users to click on to gain access to stored passwords.
Do you know all about security in 2017? Try our quiz!