Linked by Thom Holwerda on Mon 9th Oct 2017 19:26 UTC
Mac OS X

Reported by Matheus Mariano, a Brazilian software developer, a programming error was discovered in Appleā€™s most recent operating system, High Sierra, that exposed passwords of encrypted volumes as password hints. A serious bug that quickly made the headlines in technology websites everywhere.

Apple was prompt to provide macOS High Sierra Supplemental Update to customers via the App Store, and ensured that every distribution of High Sierra in their servers included this update.

I decided to apply a binary diffing technique to the update to learn more about the root cause of this bug and hypothesize about how the defect could have been prevented.

Thread beginning with comment 649719
To read all comments associated with this story, please click here.
Comment by sj87
by sj87 on Tue 10th Oct 2017 08:50 UTC
sj87
Member since:
2007-12-16

As a programmer I fail to find this anything else than another day at the office. Already before reading the article, I assumed that they just stored the password as 'password hint', because that's the only option.

Passwords are usually stored in a form that is not reversible, so it just cannot pop up in another field by accident unless it was deliberately put there.

Programming is still mostly manual work i.e. every little detail has to be written by hand just as we see it happen on the screen. There rarely exists any magical method so that we just type one line of code and see a hundred things happen, no.

Reply Score: 4

RE: Comment by sj87
by Bill Shooter of Bul on Tue 10th Oct 2017 17:53 in reply to "Comment by sj87"
Bill Shooter of Bul Member since:
2006-07-14

Really disagree that this was another day at the office. It kind of screams out that security is an after thought at apple. Its a systemic issue, that cries out for redress. The individual developer is only partially at fault here. The system of developing software let apple down, as this really should have been caught somewhere in the SDLC.

Reply Parent Score: 5

RE: Comment by sj87
by avgalen on Wed 11th Oct 2017 11:29 in reply to "Comment by sj87"
avgalen Member since:
2010-09-23

Passwords are usually stored in a form that is not reversible, so it just cannot pop up in another field by accident unless it was deliberately put there.

That was the most incredible thing about this whole article. The password to the disk encryption is stored in a reversible way and is read into memory.
The way this showed up was that a programmer made a change that showed the password to the world in the passwordhint-UI, but it was actually never really hidden.
As far as I understood it is still this way after the fix. The fix literally checks if the password hint is the same as the password and won't show the hint in that case. That is literally putting lipstick on a pig

Apple acknowledged the flaw in its patch release notes: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints."

Reply Parent Score: 4

RE[2]: Comment by sj87
by sj87 on Sat 14th Oct 2017 13:31 in reply to "RE: Comment by sj87"
sj87 Member since:
2007-12-16

That was the most incredible thing about this whole article. The password to the disk encryption is stored in a reversible way and is read into memory.

Encryption password has to be stored in memory as without it encryption/decryption is impossible. I don't know why they're storing this password on the disk in the first place, though. Maybe it is needed for some automation, and they're storing the container in an encrypted form.

The way this showed up was that a programmer made a change that showed the password to the world in the passwordhint-UI, but it was actually never really hidden.
As far as I understood it is still this way after the fix. The fix literally checks if the password hint is the same as the password and won't show the hint in that case. That is literally putting lipstick on a pig.

I guess their point is to also 'fix' this issue for those users who were affected by the now-fixed bug and already have their password stored also as the password hint. There are different ways to tackle this problem but they decided this is the least likely way to fail at that.

Although a new issue might be that upon changing the encryption password, the app will then leak the old password that was used (and stored as pw hint), which might open an attack surface in case that the same password is in use somewhere else too.

Edited 2017-10-14 13:34 UTC

Reply Parent Score: 2