A software developer based in Turkey has caused mayhem at Apple by publicly disclosing a serious password vulnerability. The vulnerability is present in the latest version of MacOS, High Sierra. It allows a hacker, who must have access to the local machine, to access the computer WITHOUT a password. Apple has admitted in a statement that this is a live issue and that it is working on a fix.
What is the problem?
At 6:39pm yesterday Lemi Orhan Ergin sent a tweet to the Apple Support Twitter account. In that tweet he said: ”
Since then there have been 9,442 retweets and 10,099 likes as of time this article was written. He goes on to provide evidence of how it works.
A Root account gives a user absolute control over the local machine. Apple call it a superuser account. This means it can add or delete users, change settings or install anything that the user wants. In previous versions of MacOS the Root account was disabled by default. It had to be enabled by a user with administrative privileges.
In MacOS High Sierra it seems that a developer set the account to be enabled by default. More importantly, they also set it to have no password. As security failures go this is an appalling failure.
Like many of those who saw the original tweet, we have tried this on Apple Mac’s here. Pre High Sierra machines do nothing. Once High Sierra is installed it works.
Apple’s response has been predictable. It immediately issued a statement saying:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.
How did this happen?
That’s something we may never know. It has all the hallmarks of an Apple developer using it to speed up logging in to High Sierra during the development phase and then forgetting to take it out.
There will be questions asked about how this got into the production build. For example, should Q&A have spotted this? Some will say yes but it’s the sort of thing that most software companies would not have a pre-built test for. It’s also not something that a tester would naturally assume a developer might do. However, given that previous versions of MacOS have always had the Root account disabled it is reasonable to assume that there should be a test to check this.
What does this mean?
Apple is now in scramble mode and that is not good. It knows it must patch this problem quickly but also realises that there is a risk of introducing other problems if the patch is not tested. This is not good for users and is why the industry introduced a mechanism for responsible disclosure.
That mechanism allows security researchers, companies and even individuals to report security issues to vendors. Most vendors also offer a bug bounty when flaws are found and this one would have ranked high on most vendors payment schemes.
Ergin has come under fire from many security researchers and security vendors for announcing this publicly. They are surprised he ignored the disclosure rules which, given he describes himself as an Agile Software Craftsman, he would have known about.
For users, it is a case of following Apple’s advice and manually disabling the Root account.