Categories: Security

Apple Fixes MacOS Bug That Displayed Encrypted Disk Passwords

Apple has released a fix for its two-week-old macOS High Sierra operating system that could have allowed anyone to gain access to encrypted hard disk volumes.

The issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Plaintext passwords displayed

The issue was caused by a problem with macOS’ Disk Utility that meant that if a password hint was set when creating an APFS encrypted volume, the utility mistakenly stored the password as the hint, Apple said.

The macOS High Sierra 10.13 Supplemental Update, published only days after the operating system version’s initial release on 25 September, fixes the issue by clearing passwords that were stored as hints and addressing the logic issue that caused the problem, according to Apple.

Image credit: Matheus Mariano

Only APFS encrypted volumes created using Disk Utility are affected.

But changing the passwords of affected volumes isn’t enough, according to Apple.

“Changing the password on an affected volume clears the hint but doesn’t affect the underlying encryption keys that protect the data,” it said in a support document.

Loading ...

Volumes must be restored

As a result the company advised users to back up the data on affected volumes, then erase and restore them. It provided instructions for doing so in the support document.

In addition to applying the update and restoring the exposed volumes Apple said if the exposed passwords were used on other services they should be changed on those sites.

The issue was reported to Apple by Brazilian developer Matheus Mariano, who produced an online video demonstrating how easy it was to exploit the flaw.

“I do not recommend you to update (to macOS High Sierra) before Apple solves this problem,” Mariano wrote.

Security researcher Graham Cluley praised Apple for producing its patch quickly, but said the problem raised questions about Apple’s security processes.

“Its responsiveness in addressing this issue should be applauded,” Cluley wrote in a research note. “However, that doesn’t change the fact that such a serious bug like this really should have been intercepted during its quality control process, rather than allowed to ship to millions of computers around the world.”

The update also addressed a flaw that could have allowed attackers to bypass the prompt macOS requires users to click on to gain access to stored passwords.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Meta Building Fastest AI Supercomputer In The World

Facebook building the world’s fastest AI supercomputer to help detect and moderate offensive posts and…

2 hours ago

Nvidia Preparing To Abandon $40bn ARM Acquisition – Report

Facing many regulatory probes and lawsuits, Nvidia tells its partners it is preparing to abandon…

3 hours ago

Vodafone To Switch Off 3G Network Next Year

Mobile operators press ahead with early retirement of old networks, as Vodafone sets 2023 deadline…

5 hours ago

Online Safety Bill Is A ‘Missed Opportunity,’ MPs Warn

DCMS committee says draft version of landmark online safety bill is not robust or clear…

7 hours ago

Julian Assange Wins Right To Ask Supreme Court For Extradition Appeal

Another twist. Julian Assange wins right to ask UK's Supreme Court if it will hear…

7 hours ago

ICO Disagrees With Government-Backed Encryption Campaign

UK data protection watchdog, the ICO, says encryption provides protections for children, after government-backed campaign…

8 hours ago