Apple macOS High Sierra Bug Exposes Passwords of Encrypted APFS Volumes As Hint

A severe programming error has been discovered in Apple's latest macOS High Sierra 10.13 that exposes passwords of encrypted Apple File System (APFS) volumes in plain text.

Reported by Matheus Mariano, a Brazilian software developer, the vulnerability affects encrypted volumes using APFS wherein the password hint section is showing the actual password in the plain text.

Yes, you got that right—your Mac mistakenly reveals the actual password instead of the password hint.

In September, Apple released macOS High Sierra 10.13 with APFS (Apple File System) as the default file system for solid-state drives (SSDs) and other all-flash storage devices, promising strong encryption and better performance.

YOU MAY ALSO LIKE :

iOS 11.3 coming this spring with battery and performance settings, ARKit 1.5, new Animoji

Mariano discovered the security issue while he was using the Disk Utility in macOS High Sierra to add a new encrypted APFS volume to a container. When adding a new volume, he was asked to set a password and, optionally, write a hint for it.

So, whenever the new volume is mounted, macOS asks the user to enter the password.

However, Mariano noticed that when he clicked the "Show Hint" button, he was served with his actual password in the plain text rather than the password hint.

You can see the demonstration of the problem in the below-given video:

This security issue is not the only one discovered in Apple's latest desktop operating system.

Just a few hours before the release of High Sierra, ex-NSA hacker Patrick Wardle publicly disclosed the details of a separate critical vulnerability that allows installed apps to steal passwords and secret data from the macOS keychain.

The good news is that Apple released a supplemental macOS High Sierra 10.13 update on Thursday to addressed both the issues. Mac users can install update from the Mac App Store or download it from the Apple's Software site.

It should be noted that just installing the update would not solve the APFS password disclosure issue. Apple has published a user guide on the password disclosure bug, which you should follow to protect your data.

Comments

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years. What are Spectre and Meltdown? We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article. In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information. Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running...

Check your Gmail Account Email is Secured or Not After 50 Lacs Gmail account Hacking

World Biggest Hacking 50Lacs Gmail Account Hacked by Russian Hackers. Hack Gmail List Post in Bitsec security forum. This hacking is done in 10 September 2014. Anyone can download 5 Million hacking gmail list . Your password is compromised publicaly. So how do you know your account is hacked is or not. This is one of the biggest hack in Gmail account. So hackers use your gmail account password in illegal purposes. So I recommend you to check your gmail account password. Here we provide a website to check your email in the hacking list. If your name in the hacking list ,so change your password of gmail. Check your name in Gmail Hacking list Follow the given steps. 1 Go to this website ISLEAKED.COM or haveibeenpwned.com/ 2. Type of email and click on check it. 3. Now you know your account is hacked or not. YOU MAY ALSO LIKE : Make Fake FB Account in 1 Min Without Mobile and email Facebook Moves To Decide What ...

Unlocked phones vs. locked phones: Why you should care

Should you get an unlocked phone? The US wireless market is more competitive than ever, which is great news for consumers who have lots of choices when it comes choosing a service provider. But one barrier still exists when trying to switch carriers: the locked smartphone. The end of wireless contracts marked a watershed trend for consumers because it finally opened the door for them to more easily shop around for alternative wireless carriers. But the software locks that carriers put on phones restricting its use on other networks still prevent many consumers from having total freedom when it comes to choosing a provider. Now Verizon, the only wireless carrier that sold its phones unlocked out of the box, is reversing course. The company said earlier this week it would begin locking the phones it sells to consumers for an undetermined period of time, which will prevent them from using a SIM card from another carrier. But Verizon promised it would eventually ...

Tech Knock

Search This Blog