Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Desktops (Apple) Security Apple

High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net) 85

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
This discussion has been archived. No new comments can be posted.

High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago

Comments Filter:
  • Proof that... (Score:5, Insightful)

    by houstonbofh ( 602064 ) on Thursday November 30, 2017 @01:48PM (#55652007)
    Proof that no one at apple reads their own forums.
    • by eepok ( 545733 )
      Proof that there are too many forum posts to be read by sufficiently knowledgeable staff.
    • As part of yesterdays article on Slashdot, when they stated they needed to review how they managed these issues, I had expected that this was probably a known issue, that just somehow failed to get into the right hands. [citation] [slashdot.org]

      I think it is mainly a failure in management, then with Apple not caring or ignoring a problem. Just poor escalation management, which can be fixed.

    • by myid ( 3783581 )

      Proof that no one at apple reads their own forums.

      Apple should read them. Lots of bugs and workarounds are discussed there. Apple should hire people to read the forums, figure out the steps to duplicate the problems mentioned in the forums, and submit bug reports that include those steps.

      I've found that the best way to get a bug resolved was to call their help desk, and tell that person about it.

    • And when they occasionally do, and even more seldomly reply to a customer question, they do that with all the arrogance Microsoft was showing 10 years ago. Apple, you're not on the right track...
  • You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.

    Especially in something as big and important as an operating system, some group with enough big-picture thinking and enough intellig

    • +1 insightful. I never understood the pressing need to "ship" software regularly. Customers aren't going to try out new software every couple of months. Customers would rather just have software that works and keep it around.
  • by Anonymous Coward

    If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd [github.com] and concerning unusual Linux usernames.

    Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."

    Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well b

    • Employees that are paid better are harder to bribe. That's not a new thing.

    • by AJWM ( 19027 )

      Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.

    • You lose credibility when you fail to mention the bug submission includes this bit, "I searched google and found that it was not right to named a linux user with 0day". It's not valid. Because some other apps don't adhere to standards, they're doing it wrong. Use proper context if you want to have a conversation, not whine like a bitch.
      • by gweihir ( 88907 )

        Well, the fact remains that the systemd idiots do not understand "Defense in Depth". That makes them unsuitable to develop anything with security impact. Their reaction also clearly shows that they are unwilling to learn and consider them to understand everything quite well. A sure recipe for disaster.

      • by rl117 ( 110595 )
        A username with a leading digit is absolutely valid. It's documented as being valid in POSIX, with explicit details about how names vs UID/GIDs are disambiguated when used as command-line arguments. It goes without saying that systemd got it completely backwards, ignoring existing standards and conventions, which is the root cause of this bug.
  • Apple is paying more attention to Slashdot press than their own support forums?

    • What company cares about their free support forums? Hell even most github project owners won't spend any time on answering question.

      • Because it's supposed to decrease the volume on their paid support. Enabling users to fix their own problems would save a shit ton of money and aggravation. I learned of this Apple support years ago when they fucked up millions of Apple accounts after some failed mail/account merge or migration. It cost $29 to call Apple to solve the issue. Thousands of pissed off people in forums, zero fucks given by Apple. It was Apple's fuck up.
  • Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...

    How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.

    Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

    So technically this inc

    • Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

      You can bet that any Macs seized by the likes of the FBI won't have had the security patch applied....

      • by ph0rk ( 118461 )
        If they have physical access to the machine and the data isn't encrypted, it doesn't matter whether or not the patch was applied.
      • High Sierra hasn't been out that long and for some reason I have trouble imaging criminal elements keeping super up to date on system updates.

        So how many HS macs has the FBI realistically seized over the past month? I'd still say way less than the number of systems with lost passwords that have been restored.

      • A conspiracy theorist would suggest that this might have been Apple's plan all along, push out a patch that allowed the government to root anything they currently had in their possession.
  • that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.

    If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root [objective-see.com]

    • by Obfuscant ( 592200 ) on Thursday November 30, 2017 @03:06PM (#55652757)

      If you are ever testing (or writing) a login thing, make sure you test the case with no password.

      The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.

      • Daily? I used to get them minutely. Actually I got default admin credentials tested on all my internet facing services. Even when using fail2ban to implement temporary blocking measures (e.g. 5 min after 3 failed attempts) that didn't dissuade anyone.

        Heck I got constant connection attempts even when set to certificate only. I had to change the damn port, to get them to slow down.

    • by Slayer ( 6656 )

      We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?

      It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.

    • by antdude ( 79039 )

      And have QA testers! They're useful!

  • in all those recent stories? That anyone could just type root, leave password blank, and get an unlimited access to all the data he/she wanted without any hacking?
    • Hackers doing what? Pretty much all random hackers are script kiddies attacking common services. If you have an internet facing machine chances are they are going to try SMB authentication, check if you have wordpress running, and check if you have SSH running. If they are going to try remote access they'll use Windows RDP.

      Why target a MacOS system specifically? The only thing you'll achieve is rule out 94% of desktop targets and 100% of server targets.

  • I.e. any "it was overlooked" theory must also include incompetence. "root" is one of a handful of well-known accounts, and of course you try to get into it without giving credentials.

  • "Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."

    Did anyone think to archive the thread, or is it just gone forever now?

  • Not finding a bug like that would have gotten a tester put on a PIP at Microsoft in 2000.

    In my former SDET opinion, It shows that Apple doesnâ(TM)t do enough professional testing.

  • If you mean a rambling off-topic rant now removed, sure. Took a few days, but it thankfully no longer litters devForums.

Chemistry is applied theology. -- Augustus Stanley Owsley III

Working...