Apple Squashes macOS 10.13 High Sierra Bug That Exposed Passwords For Encrypted APFS Volumes
A Brazilian software developer by the name of Matheus Mariano discovered that when adding a new encrypted APFS volume to a container in Disk Utility, you are asked to provide a password and a password hint (in case you manage to forget your login credentials). After going through this process, he unmounted the container, then remounted it, prompting macOS High Sierra to ask for the password.
However, instead of displaying the password hint under the "Hint" field, macOS High Sierra displays your actual password, which of course is a rather epic security fail. On my own 2016 13-inch MacBook Pro, I was able to observe the same behavior (which only seems to be an issue for Macs that are equipped with solid state drives).
Apple has now fixed this macOS 10.13 High Sierra vulnerability with a new Supplemental Update. “If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint,” Apple explains in release notes for the update. “This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.”
In addition to fixing the Disk Utility exploit, the Supplemental Update also addresses a password keychain vulnerability. "A method existed for applications to bypass the keychain access prompt with a synthetic click," writes Apple. "This was addressed by requiring the user password when prompting for keychain access."
There are other minor issues addressed in the Supplemental Update including improvements to "installer robustness", a fix for a cursor graphic bug in Adobe InDesign and correcting an issue where email messages couldn't be deleted from Yahoo accounts using the macOS Mail app.
Applying the update is as simple as visiting the Mac App Store and using the Software Update function.