Mac security flaw

MacOS High Sierra, you can login as Root with no password.

1 Like

Yep - saw that.

Apple are currently discussing whether to fix it via a security patch, or describe it as a usability feature and sell it as an addon.



It’s been patched apparently.

Apple has released an emergency patch to resolve the major security vulnerability in macOS 10.13 High Sierra which allows anybody to log in, locally or remotely, using the username ‘root’ and a blank password - but in doing so has broken the operating system’s file sharing functionality.

Apple’s macOS High Sierra, released in September, brought a wealth of new features but also introduced a serious bug: Entering the username ‘root’, assigned to the administrative-level account which is disabled by default, and a blank password allows anyone to log in and take full control over the system - right through to disabling disk encryption and retrieving passwords from the keychain. Publicised by security researcher Lemi Orhan Ergin on Twitter, evidence suggests the flaw - which is not present in macOS 10.12 Sierra and earlier - had been noted by users up to two weeks earlier, but was for some reason not considered a security issue at the time.

Following Ergin’s publication of the vulnerability Apple developed an emergency out-of-band security patch which it released late yesterday as Security Update 2017-001. Fixing what the company described as a ‘logic error in the validation of credentials’ the patch closes the hole but in doing so breaks the operating system’s file sharing functionality - a glitch which would point to the patch being rushed out without proper testing.

Those affected by the flaw in the patch are still advised to install it in order to close the more serious security hole, after which the following instructions will restore file sharing functionality.

The GUI authenticator not acknowledging disabled accounts is a flaw that’ll get fixed because it applies to other accounts, not just root.

In terms of an OS wide vulnerability, who isn’t setting a root password when they buy a system or re-install the OS?!? If i did that shit it could get me legit sacked, possibly on the spot, as gross negligence.

i wasn’t aware it was blank by default (they used to be preset to a value, but those values becoming public knowledge was considered a security vulnerability so i’d assume it’s to negate that), but i’m also not stupid enough to run an OS where i don’t know the root password…

Is it a vulnerability that if I install ubuntu I can then login as root by switching to tty1 at the login screen, without a password? No, it’s fucking design and assumes the user knows what they’re doing; albeit ubuntu don’t market as strongly as apple to the ‘you have money but don’t know what you’re doing’ demographic.

1 Like

The main thing here is that Apple is marketing these as easy to use and no hasstle or knowledge needed.(such as changing the root password).

anyone who pays attention to marketing deserves whatever they get :stuck_out_tongue: They fit in the afore mentioned ‘has money but doesn’t know what they’re doing’ demographic.

i only mentioned this because yesterday i did a fresh ubuntu install using an automated process, made it set a blank root password and then logged on to the console as root to start configuring it, as it’s quicker than the regular method. Not that I think i’d ever need to do that on a mac, unless i was installing ubuntu on it. It was in a VM running on a mac, but that’s not the same.

Yep that is exactly it. Done that myself on ubuntu a good good while back(have not touched it in years, cant remember anything about it anymore).

i have to do it every so often to run a java thing, because i refuse to have that heap running natively on my server. My professional background is in virtualisation*, so i spin up an ubuntu vm with whichever openjdk will make a thing run and trash it when i’m done. All using fully licensed (and therefore out of date) VMware products no less :smiley:

*this is the only reason i use a VM for containerisation, and not something like docker like unix resources keep telling me i should.