Apple issued an update for its High Sierra desktop operating system on Thursday.
Called the “macOS High Sierra 10.13 Supplemental Update,” the new update fixes two dangerous bugs in High Sierra, both of which exposed user passwords in some way.
Naked Security has a great technical explanation of the first bug Apple fixed with the High Sierra update. In the simplest of terms, with the bug, if you created a new APFS (Apple File System) encrypted volume on High Sierra, and set anything at all as the password hint, then your password was stored as the hint. In plain text.
That means anyone could’ve gotten your password simply by clicking on the “Show Hint” button.
Interestingly, if you didn’t choose anything as your password hint, you were safe.
The bug did require an attacker to have physical access to one’s encrypted volume, like a drive on your MacBook or a USB stick. But this is not one of those bugs that requires a highly technical exploit: Apple literally handed out your encrypted disk’s password to everyone, with one click of a mouse.
The bug was discovered by security expert Matheus Mariano on Sept. 27, and the collective response it got from experts was one of disbelief.
Tried myself & it’s true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow.
— Felix Schwarz (@felix_schwarz) October 5, 2017
If you have an encrypted APFS volume, check whether your password hint displays your password. If it does, we’ve got more bad news: Fixing this isn’t all that simple.
Per Apple’s official explanation, you need to install the 10.13 High Sierra update from App Store, backup the data from the affected volume, unmount and erase the affected volume, reformat it as new APFS volume, encrypt it, choose a new password (hint optional), and then restore your data to the volume. Ouch.
Additionally, if you used that same password (the one you used for an affected encrypted APFS volume), you should change that as well.
Thursday’s High Sierra update also fixes another nasty High Sierra bug, which we’ve written about in September. That particular issue allowed a malicious attacker to extract all your keychain passwords with an unsigned app.
While we’re glad these bugs are now squashed, we certainly hope we won’t see any such glaring omissions in Apple’s software in the future.