Apple

macOS High Sierra users are once again impacted by a major APFS bug after two other major vulnerabilities affected Apple's new filesystem format in the last five months.

This time around, according to a report from Mac forensics expert Sarah Edwards, recent versions of macOS High Sierra are logging encryption passwords for APFS-formatted external drives in plaintext, and storing this information in non-volatile (on-disk) log files.

The issue, if exploited, could allow an attacker easy access to the encryption password of encrypted APFS external volumes, such as USB thumb drives, portable hard drives, and other external storage mediums.

This bug goes against all well-established Apple development and security rules, according to which apps and utilities should use the Keychain app to store valuable information, and should definitely avoid storing passwords in cleartext.

The bug affects different OS versions in different manners

The bug affects versions of macOS High Sierra from v10.13 to the recent v10.13.3, but in different manners.

Edwards says that whenever a user creates a new APFS volume and chooses an encryption password, the Disk Utility.app will log the encryption password in the unified OS log. According to Edwards (and others') tests, this issue appears to affect only macOS 10.13 and 10.13.1, but not recent versions.

While this issue appears to have been fixed in recent macOS versions, Edwards says that macOS 10.13.3 (and probably earlier) will also log the encryption password when the user encrypts an already-existing APFS-formatted external volume (instead of creating one).

Both issues are edge cases, affecting users that own external storage devices and use APFS formatting, so it is not a wide-reaching problem, for the time being.

YouTube videos showcasing the bug's two variants are available below.

Third major APFS bug

This is the third major APFS bug reported in a technology that Apple introduced for macOS users in March 2017, advertising it as the next high-end filesystem format.

Back in October, researchers found that macOS High Sierra was exposing the password of encrypted APFS volumes via the password hint feature. Apple fixed the embarrassing bug after a few days, but not before being ridiculed online.

Apple wiped egg off its face again in February when it was discovered that under certain conditions, macOS lost user data when dealing with APFS sparse disk images.

Apple is usually on top of these types of bugs quite quickly, and has fixes out in a matter of days, especially after this one has made the rounds on social media.

UPDATE [March 30]: This issue was fixed in macOS High Sierra 10.13.4, released on March 29.

Related Articles:

Apple Issues Emergency Patch to Fix Password Leak in Disk Encryption Utility

Apple Releases New APFS File System, Critical Security Updates

macOS May Lose Data Due to APFS Filesystem Bug

Loud Sound From Fire Alarm System Shuts Down Nasdaq's Scandinavian Data Center

iOS Trustjacking Attack Exposes iPhones to Remote Hacking