Apple Says It Fixed High Sierra's Password Leaking Problem

Apple releases supplemental update for macOS High Sierra with various bug fixes

He also added a password hint.

However, mere weeks after its release, developer Matheus Mariano has found a serious bug in the OS that reveals the passwords for encrypted APFS volumes when you click "show password hint" within Disk Utility.

The bug was discovered by security expert Matheus Mariano on September 27, and the collective response it got from experts was one of disbelief.

Called the "macOS High Sierra 10.13 Supplemental Update", the new update fixes two risky bugs in High Sierra, both of which exposed user passwords in some way. In the meantime, disable any password hints, as that seems to band-aid fix the issue. This was addressed by requiring the user password when prompting for keychain access. Users who did not enter a password hint are not affected.

Apple noted that a user can change their password, which will clear the hint without affecting the underlying encryption keys that protect the data but advised instead that users download the latest update to macOS in order to secure their devices.

The supplemental update for macOS patches the CVE-2017-7150 vulnerability that allowed applications to extract passwords from the Keychain credentials manager.

"On High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)", Wardle wrote in a Twitter message.

macOS High Sierra, which Apple first unveiled at WWDC developer conference earlier this year, offers a modern file system APFS, Metal 2 graphics improvements, new capabilities in Safari, and improvements to company's own apps such as Notes, Mail and Photos. The update also improves installer robustness.



Other news