Disk Utility Bug in macOS High Sierra Exposes Passwords of Encrypted APFS Volumes in Plain Text [Updated]

by

Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra.

disk utility password prompt

MacRumors confirmed our test password "dontdisplaythis" appeared as the hint

Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.

A second video with English system language is embedded below

MacRumors reproduced this behavior on a 2016 MacBook Pro running macOS High Sierra, including versions 10.13 and 10.13.1 beta. German software developer Felix Schwarz also shared a video of the issue on Twitter today.
The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected.

For clarity, this appears to be a bug within Disk Utility itself. When creating an encrypted APFS volume in Terminal with the diskutil command line utility, the actual hint is shown, rather than the password.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but we'll update this article if we hear back.

Update: Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store. Apple has also shared a support document outlining steps to back up, erase, and restore the encrypted APFS volume upon updating.

The bug has also been fixed in the base version of macOS High Sierra for those who have yet to install the full software update.

Tag: APFS
Related Forum: macOS High Sierra

Popular Stories

iOS 26

iOS 26.4 and iOS 27 Features Revealed in New Leak

Friday December 12, 2025 10:56 am PST by
Macworld's Filipe Espósito today revealed a handful of features that Apple is allegedly planning for iOS 26.4, iOS 27, and even iOS 28. The report said the features are referenced within the code for a leaked internal build of iOS 26 that is not meant to be seen by the public. However, it appears that Espósito and/or his sources managed to gain access to it, providing us with a sneak peek...
Read Full Article89 comments
Apple Foldable Thumb

Leak Reveals Foldable iPhone Details

Monday December 15, 2025 9:09 am PST by
The first foldable iPhone will feature a series of design and hardware firsts for Apple, according to details shared by the Weibo leaker known as Digital Chat Station. According to a new post, via machine translation, Apple is developing what the leaker describes as a "wide foldable" device, a term used to refer to a horizontally oriented, book-style foldable with a large internal display....
Read Full Article139 comments
apple beta 26 lineup

Apple Leak Confirms Work on Foldable iPhone, AirTag 2, and Dozens More Devices

Monday December 15, 2025 2:05 pm PST by
Last week, details about unreleased Apple devices and future iOS features were shared by Macworld. This week, we learned where the information came from, plus we have more findings from the leak. As it turns out, an Apple prototype device running an early build of iOS 26 was sold, and the person who bought it shared the software. The OS has a version number of 23A5234w, and the first...
Read Full Article55 comments
iOS 26

Apple Releases iOS 26.2 With Alarms for Reminders, Lock Screen Changes, Enhanced Safety Alerts and More

Friday December 12, 2025 10:10 am PST by
Apple today released iOS 26.2, the second major update to the iOS 26 operating system that came out in September, iOS 26.2 comes a little over a month after iOS 26.1 launched. ‌iOS 26‌.2 is compatible with the ‌iPhone‌ 11 series and later, as well as the second-generation ‌iPhone‌ SE. The new software can be downloaded on eligible iPhones over-the-air by going to Settings >...
Read Full Article111 comments
iOS 26

iOS 26.2 Coming Soon With These 8 New Features on Your iPhone

Thursday December 11, 2025 8:49 am PST by
Apple seeded the second iOS 26.2 Release Candidate to developers earlier this week, meaning the update will be released to the general public very soon. Apple confirmed iOS 26.2 would be released in December, but it did not provide a specific date. We expect the update to be released by early next week. iOS 26.2 includes a handful of new features and changes on the iPhone, such as a new...
Read Full Article82 comments
Apple Logo Top Half

Early iOS 26 Software Leak Uncovers Dozens of Upcoming Apple Features

Monday December 15, 2025 3:05 pm PST by
Software from an iPhone prototype running an early build of iOS 26 leaked last week, giving us a glimpse at future Apple devices and iOS features. We recapped device codenames in our prior article, and now we have a list of some of the most notable feature flags that were found in the software code. In some cases, it's obvious what the feature flags are referring to, while some are more...
Read Full Article18 comments
macOS Tahoe 26 Thumb

Apple Releases macOS Tahoe 26.2 With Edge Light

Friday December 12, 2025 10:08 am PST by
Apple today released macOS Tahoe 26.2, the second major update to the macOS Tahoe operating system that came out in September. macOS Tahoe 26.2 comes five weeks after Apple released macOS Tahoe 26.1. Mac users can download the macOS Tahoe update by using the Software Update section of System Settings. macOS Tahoe 26.2 includes Edge Light, a feature that illuminates your face with soft...
Read Full Article98 comments
AirPods Pro Firmware Feature

Apple Releases New Firmware for AirPods Pro 2 and AirPods Pro 3

Thursday December 11, 2025 11:28 am PST by
Apple today released new firmware designed for the AirPods Pro 3 and the prior-generation AirPods Pro 2. The AirPods Pro 3 firmware is 8B30, up from 8B25, while the AirPods Pro 2 firmware is 8B28, up from 8B21. There's no word on what's include in the updated firmware, but the AirPods Pro 2 and AirPods Pro 3 are getting expanded support for Live Translation in the European Union in iOS...
Read Full Article68 comments

Top Rated Comments

masotime Avatar
masotime
107 months ago
Apple seriously needs to start hiring better QA engineers....
Score: 49 Votes (Like | Disagree)
IPPlanMan Avatar
IPPlanMan
107 months ago
But we need to have animated emoji faces...
Score: 26 Votes (Like | Disagree)
MasterMac Avatar
MasterMac
107 months ago
Does showing the password itself as the hint count as a password hint? ;)
Score: 23 Votes (Like | Disagree)
Frosties Avatar
Frosties
107 months ago
Thank you for the laugh. Great alpha software.
Score: 20 Votes (Like | Disagree)
smaffei Avatar
smaffei
107 months ago
Apple seriously needs to start hiring better QA engineers....
Yes, there some HUGE problems with Apple QA these days.

iOS 11 is riddled with obvious bugs. I just got one about 10 minutes ago. Was just deleting a few voicemails (swipe delete) and the Phone App crashed. Then there is a very reproducible Messages bug where the keyboard obscures the last few messages and you can't get to them. Real rinky-dink stuff that should be caught.

I'm starting to think that Apple is relying too much on the Beta process to collect bugs instead of having robust internal QA.
Score: 18 Votes (Like | Disagree)
RMo Avatar
RMo
107 months ago
To be clear, the linked Twitter thread ('https://twitter.com/felix_schwarz/status/915851372217683970/video/1') suggests that this is a Disk Utility bug, where if you create a password-protected volume in Disk Utility it inadvertently sets the hint to the password itself. It's not a bug that allows the password itself to be uncovered via other means, which is what I originally thought this meant and which was surprising to me since the only way to do that should be computationally expensive brute-force methods (the data itself is encrypted with the password; it's not just artificially protected by one, and it shouldn't be possible to "reverse lookup" the password by any true means).
Score: 17 Votes (Like | Disagree)
Read All Comments