High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net) 85
John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
Re:Password could be anything.... (Score:5, Informative)
I don't get why
Re: (Score:1)
I don't get why /. needs to link to someone's personal blog for this.
To feed one's click count. And the lack of real, functioning editors makes it too easy.
Just blackhole daringfireball.net as a frequent offender and move on.
Re:Password could be anything.... (Score:5, Funny)
Well that link requires a login -
No problem, just enter "root" for the user name, leave the password field blank, and hit Enter twice.
Re: (Score:2)
Unauthorized or just plain censored? Or it might be specific censorship targeting me for my unacceptably negative attitude.
Anyway, the link requires me to log in with my Apple ID account (created several years ago when I bought that MacBook Pro), but then just says the "place or content is restricted". Based on my personal experiences with Apple, I think they are censoring it, though it appears that the preemptive censorship didn't work properly this time. In my prior experiences, they usually block me from
Re: (Score:2)
the link requires me to log in
Yesterday that was not necessary yet. So my guess is that Apple's Supreme Leader was embarrassed and order the thread locked down.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Wow, now that's one heck of a security feature. I'll bet somebody did this on purpose...
Did somebody's head roll over there at Apple? This should have been an obvious "feature" in the code change that should have been caught by development in a peer review of the code, should have been caught by the test team as an untested new feature, or should have been caught by the build team as an unverified change.
A bunch of folks should be reprimanded for this slipping though.. Do your jobs people!
What? You don
Re: (Score:1)
You are sitting at the computer with physical access, what is the big deal? Does it matter if you have a root password or not?
Re: (Score:1)
Well, a little. It lowers the attack requirements from 10 minutes with extra equipment to 10 seconds and your bare hands.
Re:Password could be anything.... (Score:5, Interesting)
No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)
What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.
Re: (Score:3)
Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.
Yes. Apple has what they call FileVault [apple.com] that does whole-disk encryption (minus a boot volume, I think.)
If FileVault is used, Single User Mode as mentioned above requires login credentials.
Re: (Score:2)
Nope, you're right, that works. But things are getting pretty complicated at that point--the attack has to have access to my laptop, wait for me to use it again without my realizing it's been tampered with and then access things a second time to collect. It's not perfect security, but things are getting a little tenuous there.
Re: (Score:2)
When selected the existing backups are erased and a new encrypted backup is ready.
"macOS Sierra: Keep your Time Machine backup disk secure"
https://support.apple.com/kb/P... [apple.com]
Re: (Score:2)
Just means that this was either not tested at all or tested incompetently. Any halfway competent pen-tester would have found this.
Proof that... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
As part of yesterdays article on Slashdot, when they stated they needed to review how they managed these issues, I had expected that this was probably a known issue, that just somehow failed to get into the right hands. [citation] [slashdot.org]
I think it is mainly a failure in management, then with Apple not caring or ignoring a problem. Just poor escalation management, which can be fixed.
Re: (Score:2)
Proof that no one at apple reads their own forums.
Apple should read them. Lots of bugs and workarounds are discussed there. Apple should hire people to read the forums, figure out the steps to duplicate the problems mentioned in the forums, and submit bug reports that include those steps.
I've found that the best way to get a bug resolved was to call their help desk, and tell that person about it.
Re: (Score:2)
Fire all the testers! Let's be Agile and do DevOps (Score:2)
You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.
Especially in something as big and important as an operating system, some group with enough big-picture thinking and enough intellig
Re: (Score:2)
An even stranger discussion involving systemd..... (Score:2, Interesting)
If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd [github.com] and concerning unusual Linux usernames.
Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."
Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well b
Re: (Score:1)
Employees that are paid better are harder to bribe. That's not a new thing.
Re: (Score:2)
Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.
Re: An even stranger discussion involving systemd. (Score:2)
Re: READ THE BUG REPORT DISCUSSION! (Score:2)
Re: (Score:2)
Well, the fact remains that the systemd idiots do not understand "Defense in Depth". That makes them unsuitable to develop anything with security impact. Their reaction also clearly shows that they are unwilling to learn and consider them to understand everything quite well. A sure recipe for disaster.
Re: (Score:2)
Re: (Score:2)
Apple had a QA team? I thought they just did dogfooding, plus hiring a handful of "QA engineers" straight out of college so that their team can evaluate them before letting them work on the actual codebase.
Horrifying thought. (Score:1)
Apple is paying more attention to Slashdot press than their own support forums?
Re: (Score:1)
It's amazing how the empirical evidence on hand belies the essence of your statement as much as your little tantrum exposes the part about it that you can't admit to yourself.
Re: Horrifying thought. (Score:2)
Re: (Score:1)
Yea, but the point you all missed is it was only a day after it made the front page of Slashdot that Apple took action. Coincidence? Maybe. But the conspicuous correlation brings up a horrifying thought... and all your angry reactions exhibit a even more disturbing psychological cue that does an even better job at providing supporting evidence that you all subconsciously fear I'm right.
Re: (Score:2)
Not a coincidence. I'd be willing to bet 90% of Apple's engineers read Slashdot. I'd be willing to bet .90% of Apple's engineers read their support forums.
Re: (Score:2)
What company cares about their free support forums? Hell even most github project owners won't spend any time on answering question.
Re: Horrifying thought. (Score:2)
The funny thing is this was technically net + (Score:2)
Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...
How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.
Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.
So technically this inc
Re: (Score:2)
Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.
You can bet that any Macs seized by the likes of the FBI won't have had the security patch applied....
Re: (Score:2)
Re: (Score:1)
High Sierra hasn't been out that long and for some reason I have trouble imaging criminal elements keeping super up to date on system updates.
So how many HS macs has the FBI realistically seized over the past month? I'd still say way less than the number of systems with lost passwords that have been restored.
Re: (Score:2)
It's the most obvious thing (Score:2)
that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.
If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root [objective-see.com]
Re:It's the most obvious thing (Score:5, Informative)
If you are ever testing (or writing) a login thing, make sure you test the case with no password.
The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.
Re: (Score:2)
Daily? I used to get them minutely. Actually I got default admin credentials tested on all my internet facing services. Even when using fail2ban to implement temporary blocking measures (e.g. 5 min after 3 failed attempts) that didn't dissuade anyone.
Heck I got constant connection attempts even when set to certificate only. I had to change the damn port, to get them to slow down.
Re: It's the most obvious thing (Score:2)
Re: (Score:2)
log is a verb. I get minutely logs and they get noted in a daily log file. I'm doing just fine, but thanks for caring.
Re: (Score:2)
We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?
It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.
Re: (Score:2)
And have QA testers! They're useful!
Does it mean that probably there were no hackers (Score:2)
Re: (Score:2)
Hackers doing what? Pretty much all random hackers are script kiddies attacking common services. If you have an internet facing machine chances are they are going to try SMB authentication, check if you have wordpress running, and check if you have SSH running. If they are going to try remote access they'll use Windows RDP.
Why target a MacOS system specifically? The only thing you'll achieve is rule out 94% of desktop targets and 100% of server targets.
One of the first things a security tester checks (Score:2)
I.e. any "it was overlooked" theory must also include incompetence. "root" is one of a handful of well-known accounts, and of course you try to get into it without giving credentials.
Aaaaand it's gone. (Score:2)
"Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."
Did anyone think to archive the thread, or is it just gone forever now?
Re: (Score:2)
Apple doesnâ(TM)t care about Mac users. (Score:1)
Not finding a bug like that would have gotten a tester put on a PIP at Microsoft in 2000.
In my former SDET opinion, It shows that Apple doesnâ(TM)t do enough professional testing.
Bizarre Thread (Score:2)