Apple Says It Fixed High Sierra’s Password Leaking Problem

By Kate Conger on at

Time to install those updates! Last week, we warned you that a bug in High Sierra made it possible for an attacker to extract passwords from Apple’s Keychain in plaintext. The bug was discovered and reported by Synack head researcher Patrick Wardle in early September, and now Apple has issued a patch for the issue.

“A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access,” Apple says in the release notes for the update.

High Sierra 10.13 also comes with another important security update that you’ll want to grab as soon as possible. Security researcher Matheus Mariano discovered that, if he used a password hint to remind him of his encryption password for an Apple File Systems volume, the password itself would be displayed instead of the hint.

Installing the update will fix this, but Apple has a whole list of steps you should follow as well, including changing passwords for encrypted APFS volumes.