Brazilian developer Matheus Mariano has discovered a pretty serious security vulnerability in macOS High Sierra which exposes passwords of any encrypted APFS volumes in plain text.

As noted in Mariano’s Medium post, mounting a previously created encrypted APFS volume in Disk utility and clicking the Show Hint button reveals the password in plain text.

This is obviously some kind of a bug because the button should reveal the password hint, not the actual encryption password.

The problem affects only Macs with SSD. It’s unclear if this is a Disk Utility bug or a system-wide vulnerability that could allow the password itself to be uncovered via other means.

“I do not recommend you to update before Apple solve this problem,” Matheus said.

He has reported his findings to Apple and we expect the company to issue a software update as soon as possible to fix this obvious oversight.

  • Mr_Coldharbour

    Still on El Capitan. Had no reason updating and now seeing this I’m glad I didn’t even fathom the idea of updating. Apple is being rather clumsy and careless with their software updates—first with iOS 11 wifi and bluetooth control center toggles not actually turning off wifi and Bluetooth and now this? They better get their act together, and quick.

    • Wi-Fi and Bluetooth thing in iOS 11 is intentional, it’s not a bug

      • Mr_Coldharbour

        I know but it doesn’t make any sense, not everyone has an Apple Watch or Airpods or Bluetooth devices so why force this pill down our throats?

        It’s also Strange because my test iPhone 6 running 11.0.2 doesn’t behave that way. When I turn Wifi and Bluetooth off from CC it actually turns off and not simply disconnects unlike my wife’s iPhone 8 Plus which only seems to disconnect.

    • JaeM1llz

      Do you have an encrypted APFS drive? If not, this wouldn’t affect you. And as Christian already pointed out, the Wi-Fi/Bluetooth toggles were not bugged, they perform exactly as intended.

      • Mr_Coldharbour

        Glad they fixed it but that sort of defeats the purpose of encryption if an encrypted APFS drive saves passwords as plaintext and reveals them thereafter.

        Also with regards to the wifi Bluetooth thing, my test iPhone 6 running 11.0.2 doesn’t behave that way, when I toggle wifi and Bluetooth off from CC they actually turn off because when I go back into settings they are toggled off and not simply disconnected.

    • BooBee

      Agreed! iOS 11 is plagued with bugs and probably the worst initial iOS version in terms of number of bugs on launch. I absolutely love my Apple products but fanboys need to get their heads out their a*@ and be realistic. Since Steve has been gone quality hasn’t declined to the point I’d give up on Apple but it’s had more of a decline than I’d like to admit. :o(

      • Not even remotely. The buggiest initial iOS version has got to be iOS 7. I’ve been an Apple user for two decades and while you make some good points, I don’t think the quality has declined. It’s as it’s ever been, sometimes good, sometimes beed, like a rollercoaster. We’ve had maybe two terrible major iOS releases thus far in terms of bugs but I don’t see any major bugs in iOS 11 that would break all my apps or make my iPhone very unstable.

    • Well, they have acted quick.

      The fastest fix from Apple I’ve ever seen!

  • iDB, can you do an article on APFS in full detail?

  • Jay

    I cant help but to wonder how  would be if steve was still here..

    • It’s time to put the “Steve would have never allowed this” argument to rest. Steve is regretfully no longer with us and this is Tim Cook’s Apple.

      • rafa benitez


      • Dang, how could have I forgotten Ping!

      • Jay

        I think you have me confused Christian, I didn’t say that intending on continuing the argument. There is no hidden agenda by what I said. I simply wonder how much different it would have been. Apple was never perfect and will never be. I eveb dread thinking we might’ve still only had a 3.5-4 inch screen to be honest but I can’t help but be curious.