Dumb bug of the week: Apple's macOS reveals your encrypted drive's password in the hint box

High Sierra update derided by devs as half-baked

Video Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.

Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.

The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).

The problem becomes apparent when you create an encrypted APFS volume on a Mac with an SSD using Apple's Disk Utility app. After setting up a password hint, invoking the password hint mechanism during an attempt to remount the volume will display the actual password in plaintext rather than the hint.

Here's a video demonstrating the programming cockup:

Youtube Video

Apple acknowledged the flaw in its patch release notes: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints."

The Keychain flaw (CVE-2017-7150) was identified last week by Patrick Wardle, from infosec biz Synack. It allowed unsigned apps to access sensitive data stored in Keychain.

"It becomes clearer every day that Apple shipped #APFS way too early," wrote Schwartz in a tweet on Thursday.

Other coders have said as much. Shortly after Apple released the High Sierra upgrade, aka macOS 10.13, in late September, Brian Lopez, an engineering manager at GitHub, mused via Twitter, "Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished."

Marco Arment, another developer, suggested Apple's focus on iOS has hurt its quality control elsewhere. "The biggest problem with Apple putting less effort into macOS isn't that it stagnates — it's that they make buggier, sloppier updates," he wrote via Twitter on Thursday.

Asked to comment, an Apple spokesperson directed The Register to its published security update notification and an accompanying knowledge base article. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017