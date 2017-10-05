Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes (macrumors.com) 15
Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.
The bug is in Disk Utility GUI volume creation (Score:3)
When creating a new volume, it apparently puts the password into the password hints field.
If you create a new volume using command-line tools, things are fine.
The encryption is still OK; this bug just leaves the key to the front door under the mat.
Which is still appalling.
Re: (Score:1)
How is it able to show the plain text password to begin with? Sounds like the password isn't hashed or encrypted itself to begin with and stored as plaintext somewhere. The system shouldn't know what the password is.
Re: (Score:3)
When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.
A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.
Re: The bug is in Disk Utility GUI volume creation (Score:2)
Not necessarily true: if you want the system to be able to mount a volume without user intervention (or boot from it), it must know the whole password, a hasj is not enough for decryption. Of course the password should be properly encrypted with a not easily accessible system-level key.
Get a proper computer (Score:2)
Get a proper computer instead of a fashion accessory, you feckless nonces.
"It just works", ROFLMA.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It doesn't need to exist. They just copied the wrong field when they saved the hint.