High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.

Re:Password could be anything....

[sabri]

And here is the link to the actual support forum: https://forums.developer.apple... [apple.com]

I don't get why /. needs to link to someone's personal blog for this.

Re:

[Anonymous Coward]

I don't get why /. needs to link to someone's personal blog for this.

To feed one's click count. And the lack of real, functioning editors makes it too easy.

Just blackhole daringfireball.net as a frequent offender and move on.

Re:Password could be anything....

[Lost Race]

Well that link requires a login -

No problem, just enter "root" for the user name, leave the password field blank, and hit Enter twice.

Re:

[shanen]

Unauthorized or just plain censored? Or it might be specific censorship targeting me for my unacceptably negative attitude.

Anyway, the link requires me to log in with my Apple ID account (created several years ago when I bought that MacBook Pro), but then just says the "place or content is restricted". Based on my personal experiences with Apple, I think they are censoring it, though it appears that the preemptive censorship didn't work properly this time. In my prior experiences, they usually block me from

Re:

[sabri]

the link requires me to log in

Yesterday that was not necessary yet. So my guess is that Apple's Supreme Leader was embarrassed and order the thread locked down.

Re:

[hcs_$reboot]

Web archive [slashdot.org] to the rescue (at the end)

Re:

[hcs_$reboot]

Not sure what happened, maybe my iphone prevents me to reveal the truth... here the link: https://web.archive.org/web/20... [archive.org]

Re:

[hcs_$reboot]

https://web.archive.org/web/20... [archive.org]

Re:

[djupedal]

I know first hand who helped flag that thread for removal and good on them, devForums has enough off-topic rant chatter as it is.

Re:

[bobbied]

Wow, now that's one heck of a security feature. I'll bet somebody did this on purpose...

Did somebody's head roll over there at Apple? This should have been an obvious "feature" in the code change that should have been caught by development in a peer review of the code, should have been caught by the test team as an untested new feature, or should have been caught by the build team as an unverified change.

A bunch of folks should be reprimanded for this slipping though.. Do your jobs people!

What? You don

Re:

[ArchieBunker]

You are sitting at the computer with physical access, what is the big deal? Does it matter if you have a root password or not?

Re:

[Narcocide]

Well, a little. It lowers the attack requirements from 10 minutes with extra equipment to 10 seconds and your bare hands.

Re:Password could be anything....

[AJWM]

No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)

What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.

Re:

[BronsCon]

But it does require you to enter the password of a user authorized to unlock the disk. You did enable FileVault, right?

Re:

[Gr8Apes]

As ac above said, if you're serious about security, you have FileVault enabled. With FV enabled you get no access to the file system until you properly authenticate yourself. If you've gone that far, you probably have set the root password also.

Re:

[Chris Mattern]

Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.

Re:

[elistan]

Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.

Yes. Apple has what they call FileVault [apple.com] that does whole-disk encryption (minus a boot volume, I think.)

If FileVault is used, Single User Mode as mentioned above requires login credentials.

Re:

[Chris Mattern]

Nope, you're right, that works. But things are getting pretty complicated at that point--the attack has to have access to my laptop, wait for me to use it again without my realizing it's been tampered with and then access things a second time to collect. It's not perfect security, but things are getting a little tenuous there.

Re:

[AHuxley]

The drive and the Time Machine backup disk can be encrypted.
When selected the existing backups are erased and a new encrypted backup is ready.
"macOS Sierra: Keep your Time Machine backup disk secure"
https://support.apple.com/kb/P... [apple.com]

Re:

[gweihir]

Just means that this was either not tested at all or tested incompetently. Any halfway competent pen-tester would have found this.

Proof that...

[houstonbofh]

Proof that no one at apple reads their own forums.

Re:

[eepok]

Proof that there are too many forum posts to be read by sufficiently knowledgeable staff.

Re:

[jellomizer]

As part of yesterdays article on Slashdot, when they stated they needed to review how they managed these issues, I had expected that this was probably a known issue, that just somehow failed to get into the right hands. [citation] [slashdot.org]

I think it is mainly a failure in management, then with Apple not caring or ignoring a problem. Just poor escalation management, which can be fixed.

Re:

[myid]

Proof that no one at apple reads their own forums.

Apple should read them. Lots of bugs and workarounds are discussed there. Apple should hire people to read the forums, figure out the steps to duplicate the problems mentioned in the forums, and submit bug reports that include those steps.

I've found that the best way to get a bug resolved was to call their help desk, and tell that person about it.

Re:

[hcs_$reboot]

And when they occasionally do, and even more seldomly reply to a customer question, they do that with all the arrogance Microsoft was showing 10 years ago. Apple, you're not on the right track...

Fire all the testers! Let's be Agile and do DevOps

[ErichTheRed]

You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.

Especially in something as big and important as an operating system, some group with enough big-picture thinking and enough intellig

Re:

[110010001000]

+1 insightful. I never understood the pressing need to "ship" software regularly. Customers aren't going to try out new software every couple of months. Customers would rather just have software that works and keep it around.

An even stranger discussion involving systemd.....

[Anonymous Coward]

If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd [github.com] and concerning unusual Linux usernames.

Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."

Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well b

Re:

[Narcocide]

Employees that are paid better are harder to bribe. That's not a new thing.

Re:

[AJWM]

Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.

Re: An even stranger discussion involving systemd.

[Brockmire]

You lose credibility when you fail to mention the bug submission includes this bit, "I searched google and found that it was not right to named a linux user with 0day". It's not valid. Because some other apps don't adhere to standards, they're doing it wrong. Use proper context if you want to have a conversation, not whine like a bitch.

Re: READ THE BUG REPORT DISCUSSION!

[Brockmire]

"Standard" here refers to the portability between distros that don't have UID conflicts. The fucking add user tools don't even all work the same. When he's talking about making a unified standard, it's so they can deal with UID conflicts in the same standard way instead of dealing with a dozen corner case from different distros. Your distro that allows 0day can make the patch to support it if they want to deviate from systemd design. The issue is more nuanced than you make it out to be.

Re:

[gweihir]

Well, the fact remains that the systemd idiots do not understand "Defense in Depth". That makes them unsuitable to develop anything with security impact. Their reaction also clearly shows that they are unwilling to learn and consider them to understand everything quite well. A sure recipe for disaster.

Re:

[rl117]

A username with a leading digit is absolutely valid. It's documented as being valid in POSIX, with explicit details about how names vs UID/GIDs are disambiguated when used as command-line arguments. It goes without saying that systemd got it completely backwards, ignoring existing standards and conventions, which is the root cause of this bug.

Re:

[dgatwood]

Apple had a QA team? I thought they just did dogfooding, plus hiring a handful of "QA engineers" straight out of college so that their team can evaluate them before letting them work on the actual codebase.

Horrifying thought.

[Narcocide]

Apple is paying more attention to Slashdot press than their own support forums?

Re:

[Narcocide]

It's amazing how the empirical evidence on hand belies the essence of your statement as much as your little tantrum exposes the part about it that you can't admit to yourself.

Re: Horrifying thought.

[Brockmire]

What the fuck are you talking about? Seeing a story on /. before another site happens next to never. Did you just prove op's point more than he did? Seriously, it can be days to a week before shit shows up on /. after it appears elsewhere. Editors are shit, here.

Re:

[Narcocide]

Yea, but the point you all missed is it was only a day after it made the front page of Slashdot that Apple took action. Coincidence? Maybe. But the conspicuous correlation brings up a horrifying thought... and all your angry reactions exhibit a even more disturbing psychological cue that does an even better job at providing supporting evidence that you all subconsciously fear I'm right.

Re:

[dgatwood]

Not a coincidence. I'd be willing to bet 90% of Apple's engineers read Slashdot. I'd be willing to bet .90% of Apple's engineers read their support forums.

Re:

[Galactic Dominator]

What company cares about their free support forums? Hell even most github project owners won't spend any time on answering question.

Re: Horrifying thought.

[Brockmire]

Because it's supposed to decrease the volume on their paid support. Enabling users to fix their own problems would save a shit ton of money and aggravation. I learned of this Apple support years ago when they fucked up millions of Apple accounts after some failed mail/account merge or migration. It cost $29 to call Apple to solve the issue. Thousands of pissed off people in forums, zero fucks given by Apple. It was Apple's fuck up.

The funny thing is this was technically net +

[SuperKendall]

Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...

How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.

Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

So technically this inc

Re:

[timmyf2371]

Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

You can bet that any Macs seized by the likes of the FBI won't have had the security patch applied....

Re:

[ph0rk]

If they have physical access to the machine and the data isn't encrypted, it doesn't matter whether or not the patch was applied.

Re:

[SuperKendall]

High Sierra hasn't been out that long and for some reason I have trouble imaging criminal elements keeping super up to date on system updates.

So how many HS macs has the FBI realistically seized over the past month? I'd still say way less than the number of systems with lost passwords that have been restored.

Re:

[Headw1nd]

A conspiracy theorist would suggest that this might have been Apple's plan all along, push out a patch that allowed the government to root anything they currently had in their possession.

It's the most obvious thing

[phantomfive]

that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.

If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root [objective-see.com]

Re:It's the most obvious thing

[Obfuscant]

If you are ever testing (or writing) a login thing, make sure you test the case with no password.

The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.

Re:

[thegarbz]

Daily? I used to get them minutely. Actually I got default admin credentials tested on all my internet facing services. Even when using fail2ban to implement temporary blocking measures (e.g. 5 min after 3 failed attempts) that didn't dissuade anyone.

Heck I got constant connection attempts even when set to certificate only. I had to change the damn port, to get them to slow down.

Re: It's the most obvious thing

[Brockmire]

1440 one minute logs instead of a daily log? You're doing it wrong.

Re:

[thegarbz]

log is a verb. I get minutely logs and they get noted in a daily log file. I'm doing just fine, but thanks for caring.

Re:

[Slayer]

We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?

It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.

Re:

[antdude]

And have QA testers! They're useful!

Does it mean that probably there were no hackers

[Max_W]

in all those recent stories? That anyone could just type root, leave password blank, and get an unlimited access to all the data he/she wanted without any hacking?

Re:

[thegarbz]

Hackers doing what? Pretty much all random hackers are script kiddies attacking common services. If you have an internet facing machine chances are they are going to try SMB authentication, check if you have wordpress running, and check if you have SSH running. If they are going to try remote access they'll use Windows RDP.

Why target a MacOS system specifically? The only thing you'll achieve is rule out 94% of desktop targets and 100% of server targets.

One of the first things a security tester checks

[gweihir]

I.e. any "it was overlooked" theory must also include incompetence. "root" is one of a handful of well-known accounts, and of course you try to get into it without giving credentials.

Aaaaand it's gone.

[Kyudosha]

"Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."

Did anyone think to archive the thread, or is it just gone forever now?

Re:

[djupedal]

It was nothing more than an off-topic thread, so glad to see the clean up.

Apple doesnâ(TM)t care about Mac users.

[tranman]

Not finding a bug like that would have gotten a tester put on a PIP at Microsoft in 2000.

In my former SDET opinion, It shows that Apple doesnâ(TM)t do enough professional testing.

Bizarre Thread

[djupedal]

If you mean a rambling off-topic rant now removed, sure. Took a few days, but it thankfully no longer litters devForums.