Skip to main content

Apple macOS High Sierra Bug Exposes Passwords of Encrypted APFS Volumes As Hint


A severe programming error has been discovered in Apple's latest macOS High Sierra 10.13 that exposes passwords of encrypted Apple File System (APFS) volumes in plain text.

Reported by Matheus Mariano, a Brazilian software developer, the vulnerability affects encrypted volumes using APFS wherein the password hint section is showing the actual password in the plain text.

Yes, you got that right—your Mac mistakenly reveals the actual password instead of the password hint.

In September, Apple released macOS High Sierra 10.13 with APFS (Apple File System) as the default file system for solid-state drives (SSDs) and other all-flash storage devices, promising strong encryption and better performance.

Mariano discovered the security issue while he was using the Disk Utility in macOS High Sierra to add a new encrypted APFS volume to a container. When adding a new volume, he was asked to set a password and, optionally, write a hint for it.

So, whenever the new volume is mounted, macOS asks the user to enter the password.

However, Mariano noticed that when he clicked the "Show Hint" button, he was served with his actual password in the plain text rather than the password hint.

You can see the demonstration of the problem in the below-given video:


This security issue is not the only one discovered in Apple's latest desktop operating system.

Just a few hours before the release of High Sierra, ex-NSA hacker Patrick Wardle publicly disclosed the details of a separate critical vulnerability that allows installed apps to steal passwords and secret data from the macOS keychain.

The good news is that Apple released a supplemental macOS High Sierra 10.13 update on Thursday to addressed both the issues. Mac users can install update from the Mac App Store or download it from the Apple's Software site.

It should be noted that just installing the update would not solve the APFS password disclosure issue. Apple has published a user guide on the password disclosure bug, which you should follow to protect your data.

YOU MAY ALSO LIKE :
Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

DJI Spark vs. Parrot Bebop 2 Which One Is The Best

It's a Parrot vs DJI drone showdown Earlier this year, DJI announced it would be taking on the entry-level, selfie drone market with its  Spark . Along with challengers like the  Yuneec Breeze , the smallest DJI quadcopter is priced within touching distance of the bigger  Parrot Bebop 2 . How do they compare? Weight The Bebop is significantly heavier than the Spark, but that extra weight is an advantage in some ways. More on that in a minute. Battery Parrot has slotted a big battery into the Bebop 2 – the original Bebop had an 1100 mAh unit, compared to the 2700 mAh pack in the latest Bebop 2. That translates to a healthy flight time, too. Flight Time Parrot has a massive advantage over DJI when it comes to flight time. The bigger battery in the Bebop affords it a healthy 25 minute flight time, compared to 16 minutes for the Spark. The heavier Parrot drone is also likely to stand up better to buffeting in high winds. Range Both d...
Post a Comment
Read more

Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw

Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser. The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and performance optimizations and patches for more than 30 vulnerabilities. According to a security  advisory  published by Cisco, Firefox 58.0.1 addresses an 'arbitrary code execution’ flaw that originates due to 'insufficient sanitization' of HTML fragments in  chrome-privileged  documents (browser UI). Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim's computer just by tricking them into accessing a link or ' opening a file that submits malicious input to the affected software .' "A successful exploit could allow the a...
Post a Comment
Read more

8 Best Facebook Alternatives With Focus On Privacy For 2018

If you try to keep yourself updated with the latest developments in the technology and security world, you must be knowing about the recent Facebook-CA scandal. While most of us knew about Facebook’s relentless data collection practices, this revelation has forced many of us to raise questions and look for Facebook alternatives. Some are even looking for ways to permanently delete their Facebook account. There are many social networks, messaging apps, and news aggregation sites that you can get as a replacement of Facebook. So, let’s tell you about them in brief: Top 8 alternatives to Facebook’s website and app 1.  Vero The subscriber usage data is the bread and butter of social networks like Facebook. Vero is an option in this case as it’s based on the subscription model; so, it doesn’t show ads and collect data for the same. This fast-growing social media alternative is only app-based. They do collect your usage stats but make it av...
Post a Comment
Read more