Apple Fixes APFS Security Flaw That Revealed Passwords

Password hints can prove useful when you can't remember how to sign in to a service that you don't use all that often. They can also be damaging if the hint gives the password away or flat-out reveals it to anyone who goes looking. Apple fixed a flaw in macOS High Sierra that was even more troublesome—it mistakenly saved your password as the "hint" for encrypted volumes using the company's new Apple File System (APFS).

It's not hard to imagine why this was a problem. The whole point of encrypting a volume is to prevent anyone else from accessing it; allowing someone to make their way through those defenses by clicking one button undermines the whole process. This is even worse than, say, unexpectedly changing the behavior of the buttons that control your smartphone's Bluetooth and Wi-Fi connectivity options. (Ahem.)

The flaw also undermined APFS itself. Apple announced the file system at WWDC 2016 to offer "more granular and robust encryption control, copy-on-write metadata, space sharing between volumes, cloning for files and directories, snapshots (faster and less capacity-intensive than backups), write atomicity (ensures data safety) and improved overall fundamentals," as we explained at the time. The encryption bit is key.

On the bright side, Apple released an update to macOS High Sierra that should resolve this issue. But things still aren't all sunshine and rainbows, because Apple said in a support article that you're going to have to follow these steps to fix the problem with volumes you've already encrypted:

  1. Install the macOS High Sierra 10.13 Supplemental Update from the App Store updates page.
  2. Create an [encrypted] backup of the data in your affected encrypted APFS volume.
  3. Open Disk Utility and select the affected encrypted APFS volume in the sidebar.
  4. Click Unmount to unmount the volume.
  5. Click Erase.
  6. When asked, type a name for the volume in the Name field.
  7. Change Format to APFS.
  8. Then change Format again to APFS (Encrypted).
  9. Enter a new password in the dialog. Enter it again to verify the password, and if you’d like to, provide a hint for the encrypted APFS volume. Click Choose.
  10. Click Erase. You can see the progress of the Erase process.
  11. Click Done when the process is complete.
  12. Restore the data that you backed up in Step 1 to the new encrypted APFS volume that you just created.

The company also said you should update any accounts that rely on the same password used for the encrypted volumes. That's a potential side effect of this flaw—people who reuse passwords (and there are many who do) now have to worry about someone accessing other information. Again, trying to view a password hint not only offered access to ostensibly secure files, but could also have put other private data at risk.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • velocityg4
    Wow, that is not an acceptable solution. They need to figure out how to get the system to re-encrypt the volume in the background without user interaction. The steps required are beyond the average user. Especially a premium product from a company people spend the big bucks on for ease of use.

    Failing that. Offer same day turnaround on startup drives at the Applestore and authorized service centers, no charge.

    I think I smell a class action lawsuit on the horizon.

    Luckily, there probably aren't that many units in the wild using APFS and Filevault.

    The real question is. How could they mess up this bad? How did all the engineers working on this filesystem miss such an obvious gaping security hole? Apple is supposed to be one of the hardest tech companies to get a job with.
    Reply
  • svan71
    velocityg4 a class action ona "free" os update ? Good luck.
    Reply
  • velocityg4
    20254664 said:
    velocityg4 a class action ona "free" os update ? Good luck.

    I didn't say they will win. That won't stop a law firm from trying.
    Reply