Slashdot Mirror

← Back to Stories (view on slashdot.org)

High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net)

Posted by msmash on from the closer-look dept.

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.

60 of 85 comments (clear)

  1. Proof that... by houstonbofh · · Score: 4, Insightful

    Proof that no one at apple reads their own forums.

    1. Re:Proof that... by eepok · · Score: 1

      Proof that there are too many forum posts to be read by sufficiently knowledgeable staff.

    2. Re:Proof that... by jellomizer · · Score: 2

      As part of yesterdays article on Slashdot, when they stated they needed to review how they managed these issues, I had expected that this was probably a known issue, that just somehow failed to get into the right hands. [citation]

      I think it is mainly a failure in management, then with Apple not caring or ignoring a problem. Just poor escalation management, which can be fixed.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Proof that... by myid · · Score: 1

      Proof that no one at apple reads their own forums.

      Apple should read them. Lots of bugs and workarounds are discussed there. Apple should hire people to read the forums, figure out the steps to duplicate the problems mentioned in the forums, and submit bug reports that include those steps.

      I've found that the best way to get a bug resolved was to call their help desk, and tell that person about it.

    4. Re:Proof that... by hcs_$reboot · · Score: 1

      And when they occasionally do, and even more seldomly reply to a customer question, they do that with all the arrogance Microsoft was showing 10 years ago. Apple, you're not on the right track...

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  2. Re:Password could be anything.... by sabri · · Score: 5, Informative

    And here is the link to the actual support forum: https://forums.developer.apple...

    I don't get why /. needs to link to someone's personal blog for this.

    --
    I'm not a complete idiot... Some parts are missing.
  3. Fire all the testers! Let's be Agile and do DevOps by ErichTheRed · · Score: 1

    You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.

    Especially in something as big and important as an operating system, some group with enough big-picture thinking and enough intelligence to think up breaking tests needs to make sure everything hangs together right. Individual developers can unit-test their little pieces, but plugging together thousands of little pieces is often what causes big bugs like this.

    Right now we're getting the third wave of DevOps adoption, and it's interesting to see how different it is. The first wave was all the cool kids at startups doing microservices, containerizing apps with Docker and Kubernetes, deploying with Jenkins/Chef/Puppet and writing in whatever web framework someone working for Google open-sourced that week. The second wave is all the big software companies who do this for a living. The third wave is the companies who don't have a good handle on their current dev processes now, let alone any clue on how to change them. This is being driven by a massive fear of missing out and consulting companies/tool vendors are making billions off companies that don't really get what they're buying. Expect bugs like this in internal systems as overworked developers are forced to crank out more half-baked code because the Agile book their manager read said they had to ship no matter what.

  4. Re:Password could be anything.... by bobbied · · Score: 2

    Wow, now that's one heck of a security feature. I'll bet somebody did this on purpose...

    Did somebody's head roll over there at Apple? This should have been an obvious "feature" in the code change that should have been caught by development in a peer review of the code, should have been caught by the test team as an untested new feature, or should have been caught by the build team as an unverified change.

    A bunch of folks should be reprimanded for this slipping though.. Do your jobs people!

    What? You don't follow a process that creates multiple points where such a thing would be caught? Nobody can be blamed? If this is true, Apple scares me more than it used to.

    Security must be both designed in and part of the process or you are wasting your time.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. An even stranger discussion involving systemd..... by Anonymous Coward · · Score: 2, Interesting

    If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd and concerning unusual Linux usernames.

    Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."

    Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well be considered valid, regardless of what the systemd developers believed. They pointed out that it was in fact a serious problem. They pointed out that it should be fixed.

    At some point Michael Biebl came in, babbled nonsensically about "trolls" and locked the discussion, basically giving a big "fuck you" to everyone who wanted to work toward getting these problems fixed properly.

    Lennart then deleted some user-submitted comments in a show of censorship, and again denied that there was a problem.

    The most absurd part is near the bottom, when Lennart states, "don't forget we don't break people's stuff". This is particularly unusual because systemd is well-known for causing all sorts of breakage and problems for many Linux users.

    Was the problem affecting macOS a big mistake on Apple's part? I think so. But at least they got a fix out very quickly once they became aware of the issue.

    Their approach is much saner than what we're seeing happen with Linux and systemd, as shown by the systemd bug report and absurd handling of the bug as described earlier.

    I'll take Apple's approach any day.

  6. Horrifying thought. by Narcocide · · Score: 1

    Apple is paying more attention to Slashdot press than their own support forums?

    1. Re:Horrifying thought. by Galactic+Dominator · · Score: 1

      What company cares about their free support forums? Hell even most github project owners won't spend any time on answering question.

      --
      brandelf -t FreeBSD /brain
    2. Re:Horrifying thought. by Narcocide · · Score: 1

      It's amazing how the empirical evidence on hand belies the essence of your statement as much as your little tantrum exposes the part about it that you can't admit to yourself.

    3. Re: Horrifying thought. by Brockmire · · Score: 1

      What the fuck are you talking about? Seeing a story on /. before another site happens next to never. Did you just prove op's point more than he did? Seriously, it can be days to a week before shit shows up on /. after it appears elsewhere. Editors are shit, here.

    4. Re: Horrifying thought. by Brockmire · · Score: 1

      Because it's supposed to decrease the volume on their paid support. Enabling users to fix their own problems would save a shit ton of money and aggravation. I learned of this Apple support years ago when they fucked up millions of Apple accounts after some failed mail/account merge or migration. It cost $29 to call Apple to solve the issue. Thousands of pissed off people in forums, zero fucks given by Apple. It was Apple's fuck up.

    5. Re: Horrifying thought. by Narcocide · · Score: 1

      Yea, but the point you all missed is it was only a day after it made the front page of Slashdot that Apple took action. Coincidence? Maybe. But the conspicuous correlation brings up a horrifying thought... and all your angry reactions exhibit a even more disturbing psychological cue that does an even better job at providing supporting evidence that you all subconsciously fear I'm right.

    6. Re: Horrifying thought. by dgatwood · · Score: 1

      Not a coincidence. I'd be willing to bet 90% of Apple's engineers read Slashdot. I'd be willing to bet .90% of Apple's engineers read their support forums.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  7. Re:Password could be anything.... by Anonymous Coward · · Score: 1

    I don't get why /. needs to link to someone's personal blog for this.

    To feed one's click count. And the lack of real, functioning editors makes it too easy.

    Just blackhole daringfireball.net as a frequent offender and move on.

  8. Re:Password could be anything.... by Narcocide · · Score: 1

    Well, a little. It lowers the attack requirements from 10 minutes with extra equipment to 10 seconds and your bare hands.

  9. Re:An even stranger discussion involving systemd.. by Narcocide · · Score: 1

    Employees that are paid better are harder to bribe. That's not a new thing.

  10. The funny thing is this was technically net + by SuperKendall · · Score: 1

    Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...

    How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.

    Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

    So technically this incredibly head-slapping bug was actually of more use to users than harm, as they were easily able to restore account access!

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:The funny thing is this was technically net + by timmyf2371 · · Score: 1

      Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.

      You can bet that any Macs seized by the likes of the FBI won't have had the security patch applied....

      --

      Backup not found: (A)bort (R)etry (P)anic
    2. Re:The funny thing is this was technically net + by ph0rk · · Score: 1

      If they have physical access to the machine and the data isn't encrypted, it doesn't matter whether or not the patch was applied.

      --
      semantics are everything!
    3. Re:The funny thing is this was technically net + by SuperKendall · · Score: 1

      High Sierra hasn't been out that long and for some reason I have trouble imaging criminal elements keeping super up to date on system updates.

      So how many HS macs has the FBI realistically seized over the past month? I'd still say way less than the number of systems with lost passwords that have been restored.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    4. Re:The funny thing is this was technically net + by Headw1nd · · Score: 1

      A conspiracy theorist would suggest that this might have been Apple's plan all along, push out a patch that allowed the government to root anything they currently had in their possession.

  11. Re:Password could be anything.... by AJWM · · Score: 4, Interesting

    No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)

    What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.

    --
    -- Alastair
  12. Re:An even stranger discussion involving systemd.. by AJWM · · Score: 1

    Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.

    --
    -- Alastair
  13. Re:Password could be anything.... by Chris+Mattern · · Score: 1

    Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.

  14. Re:Password could be anything.... by elistan · · Score: 2

    Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.

    Yes. Apple has what they call FileVault that does whole-disk encryption (minus a boot volume, I think.)

    If FileVault is used, Single User Mode as mentioned above requires login credentials.

  15. It's the most obvious thing by phantomfive · · Score: 1

    that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.

    If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root

    --
    "First they came for the slanderers and i said nothing."
    1. Re:It's the most obvious thing by Obfuscant · · Score: 4, Informative

      If you are ever testing (or writing) a login thing, make sure you test the case with no password.

      The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.

    2. Re:It's the most obvious thing by Slayer · · Score: 1

      We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?

      It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.

    3. Re:It's the most obvious thing by thegarbz · · Score: 1

      Daily? I used to get them minutely. Actually I got default admin credentials tested on all my internet facing services. Even when using fail2ban to implement temporary blocking measures (e.g. 5 min after 3 failed attempts) that didn't dissuade anyone.

      Heck I got constant connection attempts even when set to certificate only. I had to change the damn port, to get them to slow down.

    4. Re:It's the most obvious thing by antdude · · Score: 1

      And have QA testers! They're useful!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re: It's the most obvious thing by Brockmire · · Score: 1

      1440 one minute logs instead of a daily log? You're doing it wrong.

    6. Re: It's the most obvious thing by thegarbz · · Score: 1

      log is a verb. I get minutely logs and they get noted in a daily log file. I'm doing just fine, but thanks for caring.

  16. Re:Password could be anything.... by Chris+Mattern · · Score: 1

    Nope, you're right, that works. But things are getting pretty complicated at that point--the attack has to have access to my laptop, wait for me to use it again without my realizing it's been tampered with and then access things a second time to collect. It's not perfect security, but things are getting a little tenuous there.

  17. Does it mean that probably there were no hackers by Max_W · · Score: 1

    in all those recent stories? That anyone could just type root, leave password blank, and get an unlimited access to all the data he/she wanted without any hacking?

  18. Re:Password could be anything.... by AHuxley · · Score: 1

    The drive and the Time Machine backup disk can be encrypted.
    When selected the existing backups are erased and a new encrypted backup is ready.
    "macOS Sierra: Keep your Time Machine backup disk secure"
    https://support.apple.com/kb/P...

    --
    Domestic spying is now "Benign Information Gathering"
  19. Re: An even stranger discussion involving systemd. by Brockmire · · Score: 1

    You lose credibility when you fail to mention the bug submission includes this bit, "I searched google and found that it was not right to named a linux user with 0day". It's not valid. Because some other apps don't adhere to standards, they're doing it wrong. Use proper context if you want to have a conversation, not whine like a bitch.

  20. Re:Fire all the testers! Let's be Agile and do Dev by 110010001000 · · Score: 1

    +1 insightful. I never understood the pressing need to "ship" software regularly. Customers aren't going to try out new software every couple of months. Customers would rather just have software that works and keep it around.

  21. One of the first things a security tester checks by gweihir · · Score: 1

    I.e. any "it was overlooked" theory must also include incompetence. "root" is one of a handful of well-known accounts, and of course you try to get into it without giving credentials.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  22. Re: An even stranger discussion involving systemd. by gweihir · · Score: 1

    Well, the fact remains that the systemd idiots do not understand "Defense in Depth". That makes them unsuitable to develop anything with security impact. Their reaction also clearly shows that they are unwilling to learn and consider them to understand everything quite well. A sure recipe for disaster.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  23. Re:Password could be anything.... by gweihir · · Score: 1

    Just means that this was either not tested at all or tested incompetently. Any halfway competent pen-tester would have found this.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  24. Re:Does it mean that probably there were no hacker by thegarbz · · Score: 1

    Hackers doing what? Pretty much all random hackers are script kiddies attacking common services. If you have an internet facing machine chances are they are going to try SMB authentication, check if you have wordpress running, and check if you have SSH running. If they are going to try remote access they'll use Windows RDP.

    Why target a MacOS system specifically? The only thing you'll achieve is rule out 94% of desktop targets and 100% of server targets.

  25. Re:Password could be anything.... by BronsCon · · Score: 1

    But it does require you to enter the password of a user authorized to unlock the disk. You did enable FileVault, right?

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  26. Re:QA team fired by dgatwood · · Score: 1

    Apple had a QA team? I thought they just did dogfooding, plus hiring a handful of "QA engineers" straight out of college so that their team can evaluate them before letting them work on the actual codebase.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  27. Aaaaand it's gone. by Kyudosha · · Score: 2

    "Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."

    Did anyone think to archive the thread, or is it just gone forever now?

    --
    ç
    1. Re:Aaaaand it's gone. by djupedal · · Score: 1

      It was nothing more than an off-topic thread, so glad to see the clean up.

  28. Re: An even stranger discussion involving systemd. by rl117 · · Score: 1

    A username with a leading digit is absolutely valid. It's documented as being valid in POSIX, with explicit details about how names vs UID/GIDs are disambiguated when used as command-line arguments. It goes without saying that systemd got it completely backwards, ignoring existing standards and conventions, which is the root cause of this bug.

  29. Apple doesnâ(TM)t care about Mac users. by tranman · · Score: 1

    Not finding a bug like that would have gotten a tester put on a PIP at Microsoft in 2000.

    In my former SDET opinion, It shows that Apple doesnâ(TM)t do enough professional testing.

  30. Re:Password could be anything.... by Lost+Race · · Score: 4, Funny

    Well that link requires a login -

    No problem, just enter "root" for the user name, leave the password field blank, and hit Enter twice.

  31. Re:Password could be anything.... by shanen · · Score: 1

    Unauthorized or just plain censored? Or it might be specific censorship targeting me for my unacceptably negative attitude.

    Anyway, the link requires me to log in with my Apple ID account (created several years ago when I bought that MacBook Pro), but then just says the "place or content is restricted". Based on my personal experiences with Apple, I think they are censoring it, though it appears that the preemptive censorship didn't work properly this time. In my prior experiences, they usually block me from posting when I've gotten about halfway through composing the description of the problem.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  32. Re:Password could be anything.... by Gr8Apes · · Score: 1

    As ac above said, if you're serious about security, you have FileVault enabled. With FV enabled you get no access to the file system until you properly authenticate yourself. If you've gone that far, you probably have set the root password also.

    --
    The cesspool just got a check and balance.
  33. Re:Password could be anything.... by sabri · · Score: 1

    the link requires me to log in

    Yesterday that was not necessary yet. So my guess is that Apple's Supreme Leader was embarrassed and order the thread locked down.

    --
    I'm not a complete idiot... Some parts are missing.
  34. Bizarre Thread by djupedal · · Score: 1

    If you mean a rambling off-topic rant now removed, sure. Took a few days, but it thankfully no longer litters devForums.

  35. Re:Password could be anything.... by djupedal · · Score: 1

    I know first hand who helped flag that thread for removal and good on them, devForums has enough off-topic rant chatter as it is.

  36. Re: READ THE BUG REPORT DISCUSSION! by Brockmire · · Score: 1

    "Standard" here refers to the portability between distros that don't have UID conflicts. The fucking add user tools don't even all work the same. When he's talking about making a unified standard, it's so they can deal with UID conflicts in the same standard way instead of dealing with a dozen corner case from different distros. Your distro that allows 0day can make the patch to support it if they want to deviate from systemd design. The issue is more nuanced than you make it out to be.

  37. Re:Password could be anything.... by hcs_$reboot · · Score: 1

    Web archive to the rescue (at the end)

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  38. Re:Password could be anything.... by hcs_$reboot · · Score: 1

    Not sure what happened, maybe my iphone prevents me to reveal the truth... here the link: https://web.archive.org/web/20...

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  39. Re:Password could be anything.... by hcs_$reboot · · Score: 1

    https://web.archive.org/web/20...

    --
    Slashdot, fix the reply notifications... You won't get away with it...