Brazilian developer Matheus Mariano has discovered a pretty serious security vulnerability in macOS High Sierra which exposes passwords of any encrypted APFS volumes in plain text.

As noted in Mariano’s Medium post, mounting a previously created encrypted APFS volume in Disk utility and clicking the Show Hint button reveals the password in plain text.

This is obviously some kind of a bug because the button should reveal the password hint, not the actual encryption password.

The problem affects only Macs with SSD. It’s unclear if this is a Disk Utility bug or a system-wide vulnerability that could allow the password itself to be uncovered via other means.

ā€œI do not recommend you to update before Apple solve this problem,ā€ Matheus said.

He has reported his findings to Apple and we expect the company to issue a software update as soon as possible to fix this obvious oversight.