New macOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Volumes in Plain Text

Brazilian software developer Matheus Mariano appears to have discovered a significant macOS High Sierra vulnerability that exposes the passwords of encrypted Apple File System volumes in plain text in Disk Utility.

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

(Thanks, Marcus!)

Related Roundup: macOS High Sierra
Tag: APFS

Discuss this article in our forums

Apple’s Craig Federighi Confirms APFS Coming to Fusion Drives in a Future macOS High Sierra Update

The initial version of macOS High Sierra released this morning limits the new Apple File System (APFS) to Macs that have all-flash built-in storage, excluding iMacs and Mac mini machines that feature Fusion Drives.


Apple announced the limitation last week in a support document that said the initial release would not allow Fusion Drives to be converted to APFS, implying future support, and now Apple software engineering chief Craig Federighi has confirmed APFS will indeed be coming to Fusion Drives in a later update.

Federighi shared the info in an email sent to MacRumors reader Michiel, who asked if APFS would be added later.

"Yes, we plan to add support in a future update," replied Federighi.

Fusion Drives, available as a storage option for Apple's iMac and Mac mini desktop machines, combine a hard drive with flash storage to provide the speed of an SSD with the affordability of a standard hard drive. Frequently accessed files are stored using flash storage, while less frequently used files are moved to the hard drive.

The first macOS High Sierra beta released in June did include support for Fusion Drives and converted iMacs and Mac minis to APFS, but support was removed in subsequent betas and was not reimplemented, presumably due to stability problems and bugs with the feature.

Apple File System is a more modern file system than HFS+ and is optimized for solid state drives. It is safe and secure, offering crash protection, safe document saves, stable snapshots, simplified backups, and strong native encryption.


Developers who happened to install APFS on their machines have been provided with instructions for how to convert back to HFS+ for the time being.

Apple's macOS High Sierra press release also confirms the company's plans to introduce APFS support for Fusion Drives and standard HDDs, but Apple has not offered a timeline on when we can expect the APFS update to be released.

Related Roundup: macOS High Sierra
Tag: APFS

Discuss this article in our forums

Google Backup and Sync App Updated With APFS Support for Macs Running High Sierra

Google this morning quietly updated its Backup and Sync client app with APFS support for Macs running the latest macOS High Sierra beta.

The change, first spotted by Piunikaweb, means users of Google Drive and Google Photos can now take advantage of the new Apple File System (APFS), which was introduced in High Sierra. APFS replaces HFS+ and unifies the file system across macOS, iOS, tvOS, and watchOS, meaning it's optimized for devices that use flash and solid-state storage.

Google's new Backup and Sync client app was broken by the OS change, and some High Sierra users resorted to moving their Google Drive to an external disk formatted to HFS+ to allow their files to sync again.

However, that step should no longer be necessary with Backup and Sync version 3.36. Users can take advantage of the new APFS support by either downloading the Google app anew or waiting for their client to auto-update sometime in the next week.

Google Backup and Sync for Google Photos and Google Drive is a free download for Mac.


Discuss this article in our forums