Apple Says It Fixed High Sierra’s Password Leaking Problem

Photo: Getty
Photo: Getty

Time to install those updates! Last week, we warned you that a bug in High Sierra made it possible for an attacker to extract passwords from Apple’s Keychain in plaintext. The bug was discovered and reported by Synack head researcher Patrick Wardle in early September, and now Apple has issued a patch for the issue.


“A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access,” Apple says in the release notes for the update.

High Sierra 10.13 also comes with another important security update that you’ll want to grab as soon as possible. Security researcher Matheus Mariano discovered that, if he used a password hint to remind him of his encryption password for an Apple File Systems volume, the password itself would be displayed instead of the hint.

Installing the update will fix this, but Apple has a whole list of steps you should follow as well, including changing passwords for encrypted APFS volumes.

Kate Conger is a senior reporter at Gizmodo.



As with so many other “major security bugs” with macOS, you have to be duped into authenticating a rogue process with your admin password for you to even be at risk from this.

That said... always eat your security updates, kids.