Slashdot Mirror

← Back to Stories (view on slashdot.org)

High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net)

Posted by msmash on from the closer-look dept.

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.

5 of 85 comments (clear)

  1. Proof that... by houstonbofh · · Score: 4, Insightful

    Proof that no one at apple reads their own forums.

  2. Re:Password could be anything.... by sabri · · Score: 5, Informative

    And here is the link to the actual support forum: https://forums.developer.apple...

    I don't get why /. needs to link to someone's personal blog for this.

    --
    I'm not a complete idiot... Some parts are missing.
  3. Re:Password could be anything.... by AJWM · · Score: 4, Interesting

    No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)

    What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.

    --
    -- Alastair
  4. Re:It's the most obvious thing by Obfuscant · · Score: 4, Informative

    If you are ever testing (or writing) a login thing, make sure you test the case with no password.

    The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.

  5. Re:Password could be anything.... by Lost+Race · · Score: 4, Funny

    Well that link requires a login -

    No problem, just enter "root" for the user name, leave the password field blank, and hit Enter twice.