Apple rushed out an emergency patch Thursday that fixed an incredulous bug in its shiny new High Sierra operating system that revealed APFS volume passwords via the password hint feature.
Brazilian researcher Matheus Mariano of Leet Tech found the bug and privately disclosed it to Apple. He said that upon creation of an encrypted container in APFS—Apple’s new file system in High Sierra—the password guarding it is stored in plaintext in the password hint.
If you create an Encrypted APFS container and install the new macOS, your password will be stored as plain text in your password hint. pic.twitter.com/DwA7sks9HD
— Matheus Mariano (@martiano_) September 26, 2017
Mariano explained in a post how he found the bug (CVE-2017-7149) upon creating a new encrypted volume to the APFS container. He created a new password and entered a hint into the field. He mounted the new container and upon clicking the password hint, his newly created password was revealed instead. Mariano said the issue affects only Macs with solid state drives.
“If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint,” Apple said in its advisory. “This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.”
Mariano demonstrated the bug in a video, below.
Mariano’s bug was one of two vulnerabilities addressed in the out-of-band fix. The other was a vulnerability disclosed shortly before the release of High Sierra last week that allowed attackers to dump plaintext passwords from the macOS keychain.
Researcher Patrick Wardle, chief security researcher at Synack, privately disclosed to Apple in early September and said the bug is also present in Sierra and likely also in El Capitan.
Wardle cautioned last week that there was a low barrier to entry for attackers to exploit this issue once they already had a foothold on a machine.
The macOS Keychain is a critical security component for authentication. It’s an encrypted container that stores system usernames and passwords as well as credentials for applications and web-based services. It can also store payment card data, banking PINs and other credentials. Accompanying Keychain is Keychain Access, a password management application that stores credentials in the keychain, saving the user from having to enter them over and over on the web.
Wardle and other researchers were critical of Apple’s response to the initial disclosure, which recommended to users that Gatekeeper would be an adequate mitigation against the Keychain attack. While this might be true against unsigned malware—Gatekeeper denies unsigned code from executing on macOS—it ignores the multitude of attacks carried out using legitimate Apple developer certs to sign malware.
“That prerequisite of getting initially infected is a high prerequisite,” Wardle said. “That’s the area of focus and probably why Apple responded with Gatekeeper. That wouldn’t have been my response. But I like where they’re going in terms of being careful where you’re downloading apps from and following good security practices. Unfortunately we are seeing things like legitimate applications and websites getting hacked (Handbrake, Transmission). And in those scenarios, those are signed apps being hosted on legitimate websites and the user is pretty much done.
“I think it’s important for Apple to build in these secondary lines of defenses where even if that happens when something tries to hijack the keychain, it’s pretty much blocked.”