Earlier today, Apple has issued an emergency update for macOS High Sierra to address a bug that exposed the passwords of encrypted APFS volumes via the password hint feature.
The bug was discovered earlier today by Brazilian security researcher Matheus Mariano of Leet Tech, who also published the YouTube video embedded below.
The issue occurs only on macOS High Sierra when users add a new encrypted APFS volume to their container.
When the user mounts the APFS volume and is asked to enter the password before being able to access the data, if the user presses the password hint button, the user's password is displayed instead of the hint.
The bug only takes place if the user has entered a password hint. Users who did not enter a password hint are not affected.
The problem also affects only Macs with SSD drives, where Apple's new APFS filesystem is supported.
Before disclosing the bug earlier today in a Medium post, Mariano said he informed Apple of the issue.
Compared to other instances of bug reports, Apple moved quickly to squash the bug. Users are advised to update, or at least remove the password hint, so the bug doesn't manifest.
In addition, Apple has also released a support page with steps to back up, erase, and restore the encrypted APFS volume after the OS update.
The same supplemental update also patched a zero-day in the Keychain app that exposes app passwords in cleartext, discovered by Synack researcher Patrick Wardle.
At the time of writing, Apple has yet to release a fix for another issue found by Wardle, a vulnerability in High Sierra's new "Secure Kernel Extension Loading" (SKEL) feature that allows attackers to load malicious kernel extensions and take over a user's device.
Image and video credits: Matheus Mariano