macOS High Sierra Leaks APFS Volume Passwords via Hint

A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.
APFS is a new file system introduced by Apple with macOS High Sierra. When High Sierra is installed on a computer with a solid-state drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS promises strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.
Developer Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password and, optionally, write a hint for it.
When the new volume is mounted, the user is asked to enter the password. However, Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. The password is not disclosed if no information is entered into the “Password hint” field when creating a new volume, although Apple recommends adding a hint.
网络安全宣传动漫——在外工作时保护资产防窃
“I really don’t know how this went unnoticed by Apple (and anyone else),” Mariano said.
SecurityWeek can confirm that the password for encrypted APFS volumes is leaked via the password hint on High Sierra.
越来越多的行业会使用互联网来推动业务的开展,网站的安全问题和业务的成功以及组织的长远发展息息相关,不容忽视和半点马虎。
macOS developer Felix Schwarz pointed out that users who have set a hint via the Disk Utility can address the issue by changing the hint using the diskutil command line utility.
Mariano said he reported the issue to Apple before making his findings public. He also published a video showing the vulnerability:
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
This is not the first security hole discovered by researchers in High Sierra. Patrick Wardle, director of research at Synack, reported last month that unsigned apps can steal passwords from the macOS keychain, and that Apple’s new Secure Kernel Extension Loading (SKEL) security feature can be easily bypassed.

UPDATE. Apple told SecurityWeek that an update released on Thursday, October 5, for High Sierra addresses both the APFS password disclosure issue and the keychain vulnerability reported by Wardle.
The company has also published a knowledge base article that provides more guidance to users on the password disclosure bug.
Related: Mac Firmware Updates Are Failing and Leaving Systems Vulnerable
Related: Apple Patches Vulnerabilities in macOS, macOS Server
数据分级时有制定数据的“所有者”及给敏感数据分级,按照分级的要求制定严格的访问控制策略,基本的思想是最小特权原则和权限分离原则。

猜您喜欢

网络安全公益短片小心披露您的地理位置信息
企业信息安全一分钟快速教程
Security-Frontline-安全前线
干部教育培训工作的创新实践
SERVEROBSERVER BOOKTIQUE
欧美跨国公司常用的EHS培训方法