A BRAZILIAN SOFTWARE DEVELOPER has uncovered a bug in Apple's macOS High Sierra software that exposes the passwords of encrypted Apple File System (APFS) volumes in plain text.
One of the biggest changes in Apple's newly-released High Sierra OS is the switch to APFS, the firm's proprietary file system for Mac users that promises improved efficiency and, er, strong encryption.
However, mere weeks after its release, developer Matheus Mariano has found a serious bug in the OS that reveals the passwords for encrypted APFS volumes when you click "show password hint" within Disk Utility.
"I really don't know how this went unnoticed by Apple (and anyone else)", Mariano said in a blog post exposing the glitch.
German software developer Felix Schwarz also shared a video of the issue on Twitter, having managed to easily replicate the borkage.
Security outfit Sophos has also had a poke at e flaw, and has described it as a "facepalming" oversight on Apple's part.
"A bad look for Apple, letting a buggy system utility like that into a production release," the firm said in a blog post.
The issue only affects Macs with SSD storage due to APFS compatibility, but as noted by MacRumours, the file system will eventually support machines with Fusion Drives as well.
Schwarz notes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.
Those who have the latest version of macOS High Sierra 10.13 installed will be protected too, as Apple quickly rushed out a fix for the issue on Thursday.
The firm has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating. µ
This ain't the first security problem that has plagued early adopters of macOS 10.13. Last month, it was revealed by an ex-NSA staffer that the OS shipped with a vulnerability that code that appeared to extract plaintext passwords from the Keychain. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe