macOS High Sierra shows the password to the encrypted volume instead of a hint

Just over a week ago, Apple released the macOS High Sierra update with the new APFS file system. It took only a couple of days - and an unpleasant bug was discovered in the system, which can be called a potential vulnerability.

The fact is that when creating an encrypted APFS container in Disk Utility (Disk Utility) with the password and password hint, if you unmount this container and then mount it again, then macOS High Sierra shows the password instead of the password hint!

Brazilian developer Matheus Mariano writes that the problem affects only Macs with SSDs due to file system limitations. Mateus Mariano is very surprised at how such a bug was not noticed by employees, Apple testers or anyone else. Do they not use encrypted containers or give hints?
')
The bug was confirmed by other users , the password is actually shown in clear text on macOS High Sierra, including versions 10.13 and 10.13.1 beta. In the vulnerability database, this bug is assigned the number CVE-2017-7149 .

Apparently, if you do not set a hint-reminder when specifying a password, then the bug does not manifest itself (there is nowhere to show the password if there is no hint). And if you do not use the disk utility, everything will be fine too - the bug is present in the disk utility. So if you create encrypted volumes through the console, then the password change to the hint will not occur. In this case, the system correctly displays a hint, not a password.


Apple has recognized the presence of a vulnerability and on October 5 published a formal recommendation on how to fix the vulnerability:

1. Install macOS High Sierra 10.13 Supplemental Update from the App Store Updates page.
2. Back up encrypted data from the affected APFS volume.
3. Open Disk Utility and select a volume.
4. Unmount it.
5. Click "Delete" (Erase).
6. When asked, enter the name of the volume in the Name field.
7. Change format to APFS.
8. Once again, change the format to APFS (Encrypted).
9. Enter the new password in the dialog box. Enter it again to confirm, and if you wish, enter a hint reminder for the APFS volume. Click “Choose”.
10. Click "Delete" (Erase). You can observe the removal procedure.
11. Click Done when done.
12. Restore data from the backup made in step 2 to the new encrypted volume you just created.

Apple recommends that compromised passwords from old, encrypted APFS volumes be considered compromised - and change them wherever they were used, on the computer and in Internet services.

The bug is also fixed in the main version of macOS High Sierra, if you have not yet installed this update. That is, after installing it, you do not need to separately download the patch.

Immediately after CVE-2017-7149, another bug CVE-2017-7150 was registered in the vulnerability database : unsigned applications have access to secret data stored in Keychain, a program designed to store passwords and credentials. The user does not receive any notifications that the program has applied to the "Keychain" (see video), although even signed normal applications must allow user permission or password. The vulnerability was discovered by security specialist Patrick Wardle back in September, but Apple did not have time to fix it before the release of macOS High Sierra.


According to many commentators on forums and in social networks, Apple clearly needs to hire additional qualified staff in the testing department, even in iOS 11 it’s full of obvious blunders. And if you work with the same macOS disk utility for five minutes, then you will find a dozen blunders and amateur development errors - and after all, it was once one of the best OS X system utilities, how did you spoil everything? Maybe you shouldn’t release big OS updates so often, and spend more time on testing?

Although someone jokes that when replacing a hint with a password, the testers did not formally see an error: didn’t the password itself be considered a reminder hint? Everyone knows that Apple's operating system is very convenient and user friendly. Here it is: if a person forgot the password, macOS reminds him.