Apple rushed out an emergency patch Thursday that fixed an incredulous bug in its shiny new High Sierra operating system that revealed APFS volume passwords via the password hint feature.
Brazilian researcher Matheus Mariano of Leet Tech found the bug and privately disclosed it to Apple. He said that upon creation of an encrypted container in APFS—Apple’s new file system in High Sierra—the password guarding it is stored in plaintext in the password hint.
Mariano explained in a post how he found the bug (CVE-2017-7149) upon creating a new encrypted volume to the APFS container. He created a new password and entered a hint into the field. He mounted the new container and upon clicking the password hint, his newly created password was revealed instead. Mariano said the issue affects only Macs with solid state drives.
“If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint,” Apple said in its advisory. “This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.”