Reported by Matheus Mariano, a Brazilian software developer, the vulnerability affects encrypted volumes using APFS wherein the password hint section is showing the actual password in the plain text.
Yes, you got that right—your Mac mistakenly reveals the actual password instead of the password hint.
In September, Apple released macOS High Sierra 10.13 with APFS (Apple File System) as the default file system for solid-state drives (SSDs) and other all-flash storage devices, promising strong encryption and better performance.
Mariano discovered the security issue while he was using the Disk Utility in macOS High Sierra to add a new encrypted APFS volume to a container. When adding a new volume, he was asked to set a password and, optionally, write a hint for it.
So, whenever the new volume is mounted, macOS asks the user to enter the password.
However, Mariano noticed that when he clicked the "Show Hint" button, he was served with his actual password in the plain text rather than the password hint.
You can see the demonstration of the problem in the below-given video:
This security issue is not the only one discovered in Apple's latest desktop operating system.
Just a few hours before the release of High Sierra, ex-NSA hacker Patrick Wardle publicly disclosed the details of a separate critical vulnerability that allows installed apps to steal passwords and secret data from the macOS keychain.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The good news is that Apple released a supplemental macOS High Sierra 10.13 update on Thursday to addressed both the issues. Mac users can install update from the Mac App Store or download it from the Apple's Software site.
It should be noted that just installing the update would not solve the APFS password disclosure issue. Apple has published a user guide on the password disclosure bug, which you should follow to protect your data.