Apple issued an update for its High Sierra desktop operating system on ItalyThursday.
Called the "macOS High Sierra 10.13 Supplemental Update," the new update fixes two dangerous bugs in High Sierra, both of which exposed user passwords in some way.
SEE ALSO: Whoops, a hacker found a way to steal your passwords from macOS High SierraNaked Security has a great technical explanation of the first bug Apple fixed with the High Sierra update. In the simplest of terms, with the bug, if you created a new APFS (Apple File System) encrypted volume on High Sierra, and set anything at all as the password hint, then your password was stored as the hint. In plain text.
That means anyone could've gotten your password simply by clicking on the "Show Hint" button.
Interestingly, if you didn't choose anything as your password hint, you were safe.
The bug did require an attacker to have physical access to one's encrypted volume, like a drive on your MacBook or a USB stick. But this is not one of those bugs that requires a highly technical exploit: Apple literally handed out your encrypted disk's password to everyone, with one click of a mouse.
The bug was discovered by security expert Matheus Mariano on Sept. 27, and the collective response it got from experts was one of disbelief.
This Tweet is currently unavailable. It might be loading or has been removed.
If you have an encrypted APFS volume, check whether your password hint displays your password. If it does, we've got more bad news: Fixing this isn't all that simple.
Per Apple's official explanation, you need to install the 10.13 High Sierra update from App Store, backup the data from the affected volume, unmount and erase the affected volume, reformat it as new APFS volume, encrypt it, choose a new password (hint optional), and then restore your data to the volume. Ouch.
Additionally, if you used that same password (the one you used for an affected encrypted APFS volume), you should change that as well.
Thursday's High Sierra update also fixes another nasty High Sierra bug, which we've written about in September. That particular issue allowed a malicious attacker to extract all your keychain passwords with an unsigned app.
While we're glad these bugs are now squashed, we certainly hope we won't see any such glaring omissions in Apple's software in the future.
Topics Apple Cybersecurity
Operation Rock Wallaby rains food down on wildlife hurt by bushfires
Robert Pattinson's quest for a NYC hot dog is pure art
Poor raccoon gets rescued after being stuck in peanut butter jar
Just like you, Jason Momoa got totally pumped about that 'Game of Thrones' battle
Apple is actively looking at AI search for Safari
Everyone else give up and let this guy show you how to Tinder
After coronavirus shutdown, self
Elon Musk says 'Full Self
Get Rid of Windows 10 Ads, Office Offers and Other Annoyances
Giant inflatable chicken with Trump’s hairdo lands near White House
The Mismeasure of Media
Happily never after: Why more romantic comedies need to embrace 'ending up' alone
How to stream the final presidential debate
We've got the sweet little notes Gen. Kelly tucks into Trump's lunchbox every day
'The Last of Us' Season 2, episode 3's opening credits has a heartbreaking change
iPhone 12 and 12 Pro review roundup: Here's what critics are saying
Zack Snyder's 'Justice League' on HBO Max: The Snyder Cut explained
GMC revives gas
I'm a college professor. My advice to young people who feel hooked on tech
Amazon and the Dog Whisperer are bringing audiobooks to your posh pup
Twitter meme identifies things that feel racist, but technically aren'tYouTube finally gives up on its infamous YouTube Rewind for 20206 easy baking recipes that are super simple to make in stressful timesCruise Control by Ben ParkerTwitter meme identifies things that feel racist, but technically aren't'Maggie Moore(s)' review: Jon Hamm and Tina Fey shine in this offbeat true crime comedyHow to check air quality on Google MapsTiffany Trump and Matt Gaetz's awkward friendship is creepin' folks outThe only voter fraud in 2020 was New Zealand's 'Bird of the Year' voteGritty memes appear in celebration of BidenFebruary in Chicago by AGritty memes appear in celebration of Biden'Quordle' today: See each 'Quordle' answer and hints for June 14Aaron Paul connects two 'Black Mirror' episodes togetherSee what Google's AIHypothetical Books, and Other News by Sadie SteinWatch Kamala Harris call Joe Biden to shout 'We did it''Quordle' today: See each 'Quordle' answer and hints for June 15Reader, I married him. by Sadie SteinBeauty in a Hole Reddit's most upvoted post of 2019 was a clever protest of Chinese censorship Scientists find unprecedented rings around object in our solar system Google Maps is adding a lot of new features. See the list. 7 horror films that will make you happy you're single Google held a chaotic event just as it was being overshadowed by Bing Wordle today: Here's the answer, hints for February 10 Rihanna's Super Bowl halftime show is a moment to talk about her climate philanthropy Greta Thunberg, youth activists criticize inaction on climate change Twitter broke after deploying 4,000 The promise and pitfalls of malleable sex toys Get 30% off your unique Geologie skincare regimen with this code Wordle today: Here's the answer, hints for February 11 'Quordle' today: See each 'Quordle' answer and hints for February 8 A guide to having nipple orgasms Republicans grilled ex Google Bard shared false info in its own announcement 'South Park' joke turns Colorado man's life into a hell of prank calls Wordle today: Here's the answer, hints for February 9 15 most impressive gifts for Star Wars fans Here's a trick when you're stuck talking politics on Thanksgiving