Brazilian software developer Matheus Mariano found a Disk Utility “feature” in the OS.
Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint.
German software developer Felix Schwarz also shared a video of the issue on Twitter today.
The problem affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well.
Ironically users who haven't specified a password hint are probably unaffected.
The Tame Apple Press points out that the problem is within the Disk Utility itself and the holy Apple symbol itself is untainted.
Mariano reported the vulnerability to Apple and apparently it was serious enough for Jobs’ Mob to release a macOS High Sierra 10.13 Supplemental Update.
The bug has also been fixed in the base version of macOS High Sierra for those who have yet to install the full software update.