macOS High Sierra’s Disk Utility exposes passwords of encrypted APFS volumes

Brazilian developer Matheus Mariano has discovered a pretty serious security vulnerability in macOS High Sierra which exposes passwords of any encrypted APFS volumes in plain text.

As noted in Mariano’s Medium post, mounting a previously created encrypted APFS volume in Disk utility and clicking the Show Hint button reveals the password in plain text.

This is obviously some kind of a bug because the button should reveal the password hint, not the actual encryption password.

The problem affects only Macs with SSD. It’s unclear if this is a Disk Utility bug or a system-wide vulnerability that could allow the password itself to be uncovered via other means.

“I do not recommend you to update before Apple solve this problem,” Matheus said.

He has reported his findings to Apple and we expect the company to issue a software update as soon as possible to fix this obvious oversight.