See the entire conversation

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
1,128 replies and sub-replies as of Nov 28 2017

that's a feature
like windows uac, it's there for utility not security
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable!
It gets even worse! You can login with “other account”, type root with no password and you’re in!! Crazy!
I does not work for Yosemite!
HOLY SMOKES, I just got my Mac mini to do it. My jaw is on the floor. I can't believe this.
It seems like it's related to the amount of time the dialog has been open? I'm having better luck when I switch away and then come back after a while.
haberin vardi ve @MertSARICA soylemedin degil mi :)
confirmed .. 10.13.1
Jesus Christ this should not be a thing
Can’t get it to happen on the latest beta
omfg it worked.
Oh dear Luna. I’m so glad I haven’t updated to High Sierra.
Not functional on Sierra 10.12.6
Confirmed High Sierra 10.13
confirmed here too. two tries.
It enables the root user (as evidenced in Directory Utility) without a password.
I bet if you enable root & assign a password, it’ll be a suitable workaround.
Setting a root password mitigates this. FFS!
Note you also need to leave root enabled or you can start all over. 1. dsenableroot 2. passwd root No step 3!
dsenableroot - just what I was looking for.
Weird that root can authenticate when it's "disabled" anyway ...;) But thanks for good tip!
Confirmed on 10.13.1 after 2 tries… even stranger because I had previously set a root password on this system.
Setting a new root password seems to prevent this
Buuuut if you disable the root user it seems to reset and it works again with no password after 2 tries.
So the option for now is to leave root enabled with a strong password.
Confirmed High Sierra 10.13.1
Confirmed it on 17C83a (10.13.2) latest pushed dev beta
Can this be done via the logon screen or only in an authenticated session?
Tried a dozen times at the login screen: didn't activate the root user. Also didn't work with an active session and lock screen. 10.13.1
Holy crap - what the hell. It works basically everywhere. Even with Firewall and FileVault 🙄
can't get this to work... 10.13.1 (17B48)
On the same version, 10.13.1 (17B48) and it works after a couple of attempts (6 or so).
Probably because you've been sensible and changed the root password from the default, which apparently is no password.
Oh my various gods and goddesses this is bad. BAD @Apple!
Unlocked on the second click for me. What the fuck @AppleSupport ?
This is why I wait like 2 months before moving to the latest MacOS
Cannot reproduce on High Sierra when logged into a non-root admin account, fwiw (dialog says "enter your password" not "enter an administrator's name and password")
Reproduced on mine, an "Enter your password" prompt
Huh. Could not reproduce either way, nor from main login screen. BUT just realized this mac is on original High Sierra not the .1 update, perhaps that is the key
Mine has "Enter your password to allow this" even though I’m using an admin account.
no, that's right - "your" b/c you are already an admin, "an administrator's" if you were on a regular user account
Damn..!!! MacOS Sierra 10.13.1 confirmed... #CyberSecurity #wtf
huh. Can't reproduce on 10.12.6
If you log out, you can log back in as root without a password. 🤷🏾‍♂️
This is infuriatingly careless, @Apple. Until this is fixed, I can’t let my computer out of sight.
If you log out, you can log back in as root without a password. 🤷🏾‍♂️
Buddy above just said if he changes the password, and leaves the account enabled, it stops the bug
What do you think people will do? Change your wallpaper without your permission?
Some people, like lawyers and doctors, have confidential information that have legal implications if unauthorized access is gained.
There’s a temporary fix:
You can log out, log in as root without a password, and then change your root password in system preferences. Once you do, it no longer authenticates root without a password.
It works. Holy Moses! @Apple !!!!
You can log out, log in as root without a password, and then change your root password in system preferences. Once you do, it no longer authenticates root without a password.
Wow, how does this "slip" past QA or general common sense testing?
Dunno but there’s a temporary fix:
You can log out, log in as root without a password, and then change your root password in system preferences. Once you do, it no longer authenticates root without a password.
Wow, this is so bad. Looks like it doesn't work if you set a password for the root account.
10.13.1, it works with keychain access too!
Um, not on High Sierra machines at my work - are you sure that isn’t someone’s management setup (as bad as that is)?
It works for us. This is not gr8.
HAHAHAHA oh this is gold.
its more than gold,no need to hack iOS full access is there
Literally just tried it here too. Got straight in, first try.
Works on a completely standard High Sierra machine here. Ooer
Just checked, works, on first try. This is not good.
Let's take a closer look at what's happening together. Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there. twitter.com/messages/compo…
I mean, the whole internet kinda wants to know now, so maybe meet us here?
I guess that the FBI got what they wanted after all.
*slow clap* Yeah no what's with this let's take this in the back nonsense @AppleSupport...
Imagine working @AppleSupport and getting this ticket assigned to you. You might want to send this one to escalation :D
Well played, Ma'am. 👏
So, yeah, why not meet us here? Can't be fun tweeting everyone who confirms this bug individually.
I mean, the whole internet kinda wants to know now, so maybe meet us here?
It happens for everyone...
Resetting the password for root to something else “fixes” the vulnerability. I just tried and it worked.
Yeah, I did this, but not everyone knows how to
*4 hours later* we have no idea what's happening
Are you serious? Every macOS High Sierra version up-to-date on any device...
While you're fixing this, can you also make Pro mean Pro again?
In case anyone who sees this doesn't know how to fix this (at least temporarily) or haven't seen the fix posted elsewhere, here's how to -
Everyone with a Mac needs to set a root password NOW. As a user with admin access, type the following command from the Terminal. sudo passwd -u root Enter your password then a new password for the root user. Anyone got a better fix? @SwiftOnSecurity @rotophonic @pwnallthethings
Can confirm. Don't disable root user because OSX reenables it after a few login attempts.
Swiftly pretending nothing major is happening 😂 Get it? #devpun
It’s reproducible on every damn Mac. This is a disaster.
Maybe you should talk about this here, you know... since the whole interwebz knows about the flaw.
What version are you using?
If you have “let administrators unlock screen” enabled, this works at screen unlock too. Only took 2 tries. 🤦‍♂️
You can log in as root w/no password from the main login window. Highly suggest everyone do so and change the password (which you can totally do)
Confirmed on version 10.13.1 on 15 inch MacBook Pro Retina. "It just works!" takes on a whole new meaning @AppleSupport
oman. it's hard to even watch this.
Oh snap! Works on my computer!
A “root force” attack, if you will.
same. did it in two tries here.
Open Terminal sudo su - passwd done
Couldn't get this to work on my mother-in-laws mac running 10.12 Mac OS Sierra. Just on work my computer running High Sierra.
Just affects HS 10.13 pre-latest-beta.
Thanks for confirming. Much appreciated
Seeing reports that it “works” up through 10.13.2 b4 (no word on 5 yet)
In addition, if you disable root/change password on root via Directory Utility it appears to prevent this
Just worked for me on 10.13.1 on an 11” MacBook Air. Unlocked to make changes to users with root and [blank], successfully changed the password of another admin account as a test.
sadly just reproduced it on a mostly clean install
We are installing a new vanilla 10.13 VM right now to test unmanaged setup. (Stay tuned if you want)
If you go into directory utility and change the root password, does this still work? Just curious for those testing compromise.
You might have set a root password already, manually or as part of the bootstrap in your image.
Everyone with a Mac needs to set a root password NOW. As a user with admin access, type the following command from the Terminal. sudo passwd -u root Enter your password then a new password for the root user. Anyone got a better fix? @SwiftOnSecurity @rotophonic @pwnallthethings
No it will not work if you have set a root password.
This doesn't work for me either. Disallowing root login ( best practice ) stops this. IMHO: If you aren't changing the root passwd / disallowing it's login, you're at fault, not Apple.
The OS should be configured to be as secure as possible with default configuration. It should not be default for root to have no password and still be able to authenticate by password.
For business this is obvious. For Uncle Joe with a new Mac from the Apple Store? Not so much obviousness…
I'll buy that. And John I agree. However, I feel that while this is bad, it also sheds light on a bad user habit.
It appears that hitting enter in the username field after "root" produces the reported result. Clicking the login button does not.
in termnal wont let you login via enter and I dont agree with you, other than terminal you can login by either way
you can enter any iphone using root with no password _fu-k how to stop iphone login
100000% true and tested and it give us full control over Apple device #quitApple
We'd like some details to assist. Send us a DM with the macOS this occurred on and your country and we'll continue there. twitter.com/messages/compo…
tested 4 high sierra machines, all seem to unlock with root un
Fuck. If you have the guest account enabled you don't even need a user account. Permanently unlocks the root account to log in from the log in screen.
i could only get this to work if i had the text cursor in the password box (without typing anything). if i had the cursor in the username box and left the password field empty, it doesn't work
I can confirm it doesn’t work on Sierra
I can't replicate on High Sierra 10.13.1 (17B48). Anything special needed to make this work? Or is 9 attempts not enough for the bug?
Fortunately it doesn’t work via SSH.
You can login this way as well. It's 2017. Intentional backdoor.
Worked after 5 attempts. Jesus Christ.
Confirmed in High Sierra 10.13.1. Must click really fast, but it can be reproduced rather easily
Better: type “root” in the user name, then tab to get the focus on the password field. At this point, click like crazy on “unlock” button.
We'd like to look further into this with you. Please DM us details on the issue, and we'll see why this is happening there. twitter.com/messages/compo…
A quick Twitter search will give you all the details.
Confirmed v10.13.1
Workaround - go to Terminal, run `sudo passwd root` and set a root password. That prevents a blank password from working.
When root passwd is not set, "sudo passwd root" accepts as the current password any password.
not reproducible here (High Sierra 10.13.1)
You can fix it by setting a root passwort
Workaround => Go on Terminal, login as root (sudo su) and change (create) password with passwd command
Everyone with a Mac needs to set a root password NOW. As a user with admin access, type the following command from the Terminal. sudo passwd -u root Enter your password then a new password for the root user. Anyone got a better fix? @SwiftOnSecurity @rotophonic @pwnallthethings
Can confirm this works fine to stop the problem for now. cc @TheRegister
We'd love to gather more information about this would you mind DMing us which version of macOS High Sierra you're using and what country you're currently located in and we'll go from there. twitter.com/messages/compo…
This seems like something you should be across already. The concept of changing a default password.
This has got to be one the most ridiculous loopholes- Shame on @Apple
My fix is to install Linux. Always. #HopeThisHelps #Linux
Bingo. Mint for the win
Yep, that's my usual choice for Macs.
Of course in this case root user will be enabled already, so instead of setting the password you should change the password from nothing to something strong.
Confirmed this in-fact works.
It's important to NOT disable the root user afterwards, making you vulnerable again. Also, GUI method for enabling & setting password:
Fix for the #apple root bug: 1) open Directory Utility app (via Spotlight or other) 2) Click lock to make changes, log in with admin account 2) Click Edit -> Enable Root User 3) Click Edit -> Change Root Password… 4) Set a password 5) Do NOT disable root user!
Sudo - Make me a sandwich. #xkcd
C'mon. There is no such thing as security once you have physical access to any machine on any OS. At best you got root, at worst you can always wipe the whole drive.
It's remotely exploitable if you have screen sharing enabled, no valid credentials needed.
On High Sierra when I authenticate to screen sharing as root it asks if I want to log in or request permission to view the screen. Select log in & you get the regular login screen. Click "other", log in as root w/o password - works as advertised.
You mean there are people who expose their screen sharing ports open to the public Internet? Sorry, but they deserve it.
Not trying to minimize the seriousness of the issue, actually. But there's just no way anybody could perform this on any machine in my LAN from outside. And inside the LAN, with classic management tools the problem is already fixed and forgotten about, even on tens of devices.
Intuitive UI actually. Physical doors + locks also give up when you try hard and often enough. :P
Can confirm this worked for me, and only on second try.
It's worse than that:
Can confirm on 10.13.2 Beta (17C79a) that's pretty bad
We're here to help! Send us a DM, and we'll take a closer look at this issue together. twitter.com/messages/compo…
does NOT work on 10.11.6
Can't get it to work on 17C79a here, how did you check it?
System preferences, users and groups, lock in the bottom right. In username type root leave password empty. A 2nd box should pop up asking for admin details once again type root and leave password empty.
Interesting, does not work on 17C79a for me. But that machine (MBP12,1) is encrypted and connected to an AD as well, maybe that impacts it?
I just tried it on a Mac. Logged in as "guest" then did uid/pwd "root/[blank]" you suggested. Worked after hitting return twice. Allowed me to change network settings.
Doesn’t seem to do the trick. You can still continue without a pw and it seems to re-enable root.
Setting a pw for root seems to work. Disabling root does not.
*** root *IS* disabled by default. This bug works even if root is disabled!! *** The only way to mitigate right now is actually to enable root and set a password.
Actually this works *IF* root is disabled. Seems to enable it with an empty password. Workaround: *ENABLE* root with a strong password.
Technically, it works if root is enabled with a blank password too (obviously), but my point was that disabling root is ABSOLUTELY not a workaround.
Multiple times? :D
We're here to help! Send us a DM, and we'll take a closer look at this issue together there. twitter.com/messages/compo…
AFAIK you can prevent root login by only allowing a list of users to login on the main screen? Is that correct? E.g. not configuring for the "Name and Passwor" prompt
Just tried with no success. It's macOS 10.13.1 without APFS. Root user is enabled, but password has been changed.Has the root user been enabled on the Directory Utility and password set for this?
I only had to enter twice.
GEEEEEZ! Unbelievable
I was unable to reproduc on any of my macs
I can not reproduce.
Oh god, please fix this asap @Apple
No need to try it several times. Just type in `root` and press enter.
I had to try 5 times, on the 4th time it showed me another popup and it worked.
works even when Guest User is off! 😮
We'd like to gather some more details via DM to figure out the best path forward. Tell us what type of Mac you're using, along with your current macOS version. We'll keep an eye out for your message. twitter.com/messages/compo…
10.13.1 MBP mid 2014 15” Retina worked
Running "sudo passwd root" and setting a root password mitigates that until official fix.
Bonus: go back and do it again, you only need to hit enter once. Oh, you’re root? I trust you. Here you go.
Reproduction Verified on 10.13.1 and other 10.x Flavors. User=root, pass={none}, Click Unlock 4-5 times over 120 seconds. #Repro #PoC
FIX: Set the root password (if you hadn't already) ... Picture of Terminal shows the PoC running with and without a root password. #OSX #Repro #PoC
This is not the password-less future we all had in mind.
Resetting the root password disables the bypass.
Speak for yourself! My inner evil hacker had this password-less future in mind all along!
What am I doing wrong?
Two of my Apple devices (both on 10.13.1) are responding differently. One unlocked after 2 tries. The other I've tried roughly 20 times with no success.
Unbelievable, yes! And how the F could this have been added to the OS? What possible bug could have allowed this? Seems intentional.
I don't want people to see what porn I watch.
WTH indeed works here hope apple gives you a big reward
Not yet upgraded...
Why was this not shared with Apple privately via the reporting tool ? What good does blasting on twitter do?
Not working here on 10.12.6
Yeah just reproduced here too, wtf.
Worked for me on the second try on a two-week-old MBP running 10.13.1.
Way easier if you just hold enter, fucking what
Denke darüber solltet ihr berichten...
Not doing it for me on 10.13.1
Tab into password field then press Enter.
GG Apple. QC is all but gone. Latest iOS is buggy AF.
Looks like this is only a local issue that requires physical access to a macOS system? or is there any remote (RCE) risk?
well actually...
Confirmed on High Sierra 10.13.1
If you set a password for the root account it fixes the issue
Worked on first attempt for me. The solution to this would probably be setting a password for the root user.
Confirmed on 10.13.1
Can confirm. macOS High Sierra 10.13.1
My 6 year old kid brought me iPhone 6s on saturday morning, unlocked. Shocked to see that, I went under settings and found out that TouchID AND pin have been disabled/deleted. Have reported to Apple, waiting for a reply.
Works on mine too. Ouuuuccchh
rip your bug bounty chances
Microsoft had a pretty similar issue with Windows XP, too ^^ (unpatched version)
It appears you have to tab off the User Name onto the Password field for this to work.
Funny, doesn't seem to work on the Server 2012R2 and Server 2016 machines here. Maybe *that's* why we run them....
Just set a root password? Open terminal, sudo bash, passwd root. While you’re at it, audit accounts in /etc/passwd and check for blanks in /var/db/dslocal/nodes/Default/users/*.
Still on Sierra, safe for now
every MacBook owner's girlfriend seeing this be like
****** @Apple almost a trillion dollar company - seriously!!
*sigh*... and this is why we responsibly disclose vulnerabilities in things. Our whole estate of systems at my workplace now vulnerable for days or weeks while we wait for a patch because this bloody moron decided public disclosure is funny. Fuckin' cheers mate.
“Think” different
It's fake positive. Every if you "unlock" changes, you can't do anything, Have a look:
Empty root password bug on macOS HS
Empty root password bug on macOS HS
youtube.com
We have like 250 billion dollars in bank.
It also works in installers
Reproduced by @fatedfox on 10.13.2 Beta (17C79a) same users and groups menu, but not on parental controls.
Noticed something about the behaviour, the first time you hit login, it changed back to the current user, entering root again and hitting enter led to a few seconds pause, then rejected the login but didn't reset the user, hit login once more and it unlocked
... Security advice: Do not leave your MacBook unattended :):)
Macbook pro 15” 2016 version osx 10.13.1
Responsible disclosure is important. You could have emailed this privately and got credit, using info from here - hackerone.com/apple
It only works when you press Enter/Return. Do kot click on Unblock.
wtf.. login in as root without password works as well...
doesn't work on 10.12.6. guess I'll wait a few more months before upgrading... .
It takes a lot of #courage to ship root without a password...
Terrible bug, maybe the worst ever on macOS. This was a highly irresponsible way to report such a security issue however & now puts more people at risk. In the mean time ensure FileVault is enabled & shutdown after work.
Also, setting a password on the root account prevents it
This works for me too. Holy fucking security hole.
Hey dumb ass, maybe don't blast that all over the internet and instead privately report it to apple. Then once they fix the bug write up an article about how you found it to throw shade on apple. Don't tell the internet so everyone can try to mess with other peoples machines
Abi tamam da bu Twitter'dan konusulacak konu mu...
Worked on first try! OMG moving to ChromeOS rn!!!!
Do you see this for login, or just for post-login unlocking pref panes and such?
Anyone desire to propose #conspiracytheories on how this could be an #Apple overture to the #FBI?
I don't know if anyone already posted this, but just set a password, logged in as the root user in the terminal via "passwd" and you are fine^^
This is some 80s computer flick BS right here...this is "oh no, what do we do?"/"Type 'OVERRIDE'" nonsense. Unbelievable.
Tried 5 or 6 times on High Sierra. No go here. There has to be a logical explanation for the behavior experienced by others.
It works on 10.13.1 (17B48), really bad :/
Sierra 10.12 still strong
works on mine, eeek
seriously??!?! O_o and apple is not even replying or saying anything to this!!
Thanks for reaching out. Send us a DM, and we'll look further into this with you. twitter.com/messages/compo…
While you are fixing OS X, could you also make "Automatically adjust brightness" checkbox "off" state work again?
Reset your SMC.
sure, resetting SMC is exactly the user friendly fix we all expect from Apple.
Reset your expectations.
After downloading Sierra on macbook pro 2012 with samsung solid state, logging in became more glitchy. Reset SMC, used recovery, drive was rendered useless. Sierra was designed to outmode anything where you could install your own drive on 2012's keeping it current
Let's see... That's the one where you hold down the x key with your middle finger while rebooting, right?
This response gives me life.
It Just Works (tm)
Just do it
Will resetting the SMC actually work? PRAM sounds more like the logical solution
Rebuild your desktop...?
Settings > general > accessibility > display accommodations > auto brightness.... yes it’s stupid...
I prefer the in ability to control the input volume, I'm riding that Fader like I'm at the all night rave on the 1's and 2's on my meetings.
Yeah this priv escalation works just fine for me, please escalate this to your security team asap
While fixing this could you also sort out that perennial problem of PDFs trashing the eBook reader on the iPad? KtxBye
Guys don't hire lib art majors as your software engineers. :)
It also crashed my 2012 macbook pro within 1 month of installation. Login would reset and eventually could not be accessed at all had to use Recovery, still didn't work Firmly believe you guys did this to get people off computer that allowed new hard drive installation #THECLOUD
Could you also look into repatriating the billions of dollars in untaxed revenue to the USA? Thanks, you assholes.
This is bad you guys. Real bad.
Can you bring back diagnostic at system preferences to check WiFi? I really miss that!!
🤷🏻‍♂️
Confirmed I can reproduce
And can just login at main login screen with root and empty password
yep, I just did that as well.. oh boy… Click ‘Other’ User: root “blank password”… click login
presumably, you’ll still need the password to unlock if you have filevault enabled but just ‘sleeping’? holy shite
How many users do you have on your mac? I have 1 with guest turned off and am not given the option to login as another user. (Still works in admin panel though)
also confirmed on 10.13.1 (17B48)
I was not able to reproduce this using 10.13.1. Afterward, I followed support.apple.com/en-us/HT204012 to inspect (without changing) whether there was a root user or not. There was not. Also, there is no "Other User" at login.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Reminds me of this gif
that was my usual way of logging into windows for years when i'd lost my password
Which version of Windows was this?
IIRC it was there in Windows CE
I wanted to say it was Windows 9x, but then I mainly used that at work back in the day and we didn't have a domain at work until much later (Windows 2000 era).
ha, remember doing it back on my first boring retail job's computer shortly before getting seen by a manager walking behind me and getting fired
So. Youre saying that Win2k is harder to get into than High Sierra....
To be fair, you could have hit cancel to log in and the "Login" was for network resources and not the desktop itself. It's right on the tin "password for Microsoft networking"
I hope they send you hundreds of thousands of dollars and an apology.
I hope they send nothing.. For not going through responsible disclosure, and instead exposing millions of systems.
The only way is up!
Takiliyorduk ne guzel, neden ortaligi ververeye verdin ki sen simdi?.
Works on login screen as well!
I doubt it. They're too busy adding emojis and shoehorning Siri into MacOS to notice actual problems.
They’re not the ones who “add” emojis. So many people don’t understand this…
No but doesn’t it always happen to be the first bulletpoint of every .x or .0x update or keynote presentation of the past couple years. Priorities.
I guess that’s true. But leaving out support for new existing characters would be pretty bad, even if admittedly not as bad as a security issue.
also it gets non-technical folks to install updates. Emojis makes everyone more secure.
Never would’ve thought of that one.
seriously, tho, it's a real thing. security professionals need to (and sometimes do) think about what gets others to install updates (which causes them to break their workflow etc) and giving them features they want and that you can cheaply enhance regularly is gold for that
Agreed. It is user centered design/development.
Yup. This is exactly Apple's strategy, and it's brilliant in that regard.
I hope they saved some for a rainy day, because this fix probably merits a few.
That’s one way to look at it. Though I’m more inclined to believe they do it because the non-technical users are their mainstay customer base right now.
Those are the consumer's priorities, yes. If you think development priorities within Apple are holistically "emoji" because that's what they demo onstage then I don't know what to tell you.
They absolutely do add Emoji. Sure, the Unicode standard specifies the available Emoji, but Apple still need to illustrate them and add OS support. They don't magically appear.
Well, yeah, that’s what I was trying to say. Guess I worded it poorly. I mean it would be kinda bad for Apple to just say, “Nah, we’re not illustrating them.”
Yup. And they don’t just “add” them. They over-design the heck out of them like it’s 2007 PowerPoint clipart
They are the ones that animate them, in real-time, with facial motion capture though. Priorities? Animated poop emoji versus asking for a root password?
this will get hotfixed with a dongle
right. way too busy doing that
That's a pretty big security hole.
Confirmed after 2 tries. Holy shit, that's bad.
😠 also I have to reboot my mabook daily, sometimes twice a day. Thinking of going back to windows if my productivity and security is compromised.
Lol windows wont make you more safe 🙂
Yes, which is why I use OSX and have been doing so for more than a decade. I do not wish to return to Windows but I might be forced to.
You will have quite the conundrum...but I feel you Apple is clearly dropping the ball iOS 11 is another example of stuff going wrong or at the very least being rushed out the door
It doesn't just login, it enables the root account (which you can normally do via the Directory Utility) for everything.
Someone give this man a basket of muffins or oven baked cookies.
Lol. High Sierra impresses more every day
Can anyone see if this happens on a “low” Sierra? Just curious because I haven’t updated yet.... And yes, this is very bad ....
Doesn't seem to work on Better Sierra.
Glad but still sad - hey #Apple ???
I could not replicate this on MacOS Sierra 10.12.6 (16G1036). I'm definitely going to wait until Apple fixes this security hole. 🤦‍♂️
And we have lift off.... :facepalm:
Not even multiple times, just hit enter, and off it goes...
Sometimes works the first time, sometimes takes a few tries. Something's rotten in the authentication layer!
And as someone else stated, I was even able to login from main login windows using root and no password just hit enter….serious bug!
Is FEATURE: Forget your password? Just log in as root!
I mean I guess in Apple's defense it DOESN'T work with any of the regular user accounts on my machine, so their tests of the auth layer probably worked in that regard. But c'mon, you ALWAYS try root with no password!
Jajaj exactly!! Amazon this went by for so long!!
My laptop at home is still (regular) Sierra, gonna have to see if this exists on the previous release too. I mean it's not "better" if this bug just slipped into High Sierra somehow, but it's WAY WORSE if it's been there for a while.
Let me know how that test goes!! Always nice to know if my password protection is utterly worthless!
Doesn't seem to work for me on Sierra
I'm honestly not sure if this makes me feel better. I mean "YAY my laptop doesn't have a gaping local authentication hole!" but also "WOW this got through apple's QA process."
I was unable to replicate with Sierra.
Thanks!! At least that is that!
Doesn't appear to affect Sierra - tried it several dozen times on my Sierra laptop and it just shows me the [blank] password hint.
In related news, my nagging feeling of "Oh, I should really get around to updating to High Sierra" has suddenly been assuaged.
(Yes @Apple, this level of what-the-fuck-did-you-do stupid is Panda Facepalm worthy.)
We'd like to look further into this with you. Please DM us any other details on this issue and we'll look closer into why this is happening with you there. twitter.com/messages/compo…
I just replicated THAT behavior over remote desktop/screen sharing.
Does this work if you click Cancel instead? Jk. Omg.
It's a feature. So they won't have to be involved when authorities need to unlock a mac.
NOT able to reproduce it on 10.13.2 Beta 5.
Just tried and I was like...
Remember “it just works” 😅
A: responsible disclosure. B: mailto:product-security@apple.com
Probably more effective if you had used their bug bounty program for reporting. Apple Support = tech support, not security vulnerability reporting: developer.apple.com/bug-reporting/
always go directly to the company via private channels before publicly disclosing massive vulnerabilities like this.
There's a tried and tested procedure for handling situations like these: en.wikipedia.org/wiki/Responsib… It is a pity it has not been followed. Most probably due to not knowing it, overall excitement and eagerness.
shame too- OP probably could've gotten a nice bounty from it.
Maybe. For obvious reasons, we don't know how many people *did* report it through the usual channels.
I found a PayPal vulnerability that effectively allowed stealing money. They weaseled out of the bug bounty. Many of these programs aren't credible.
imagine how much that wouldve been worth if you sold it on the black market.
plus we are to believe apple's testing is so piss poor that they didn't try this? easy backdoor, bet there are more and bet they are littered thru the un-secure junk tech they smash into our lives
Pretty sure this is excusable considering what it is. I'd even go as far calling this possibly intentional. If it wasn't intentional they should figure out a way to prove that..
I guess I'm not _entirely_ sure what precisely you're talking about here. "intentional": the unfortunate disclosure? Or the *cough* "feature implementation in OSX"?
meh, Apple has neglected the quality of their systems code for years. Worse than Linux, and I expect Linux to have local root holes, so this doesn't surprise/scare me, as long as it's not accessible via screenlock/login screens. Maybe lighting a fire under their butts will help?
And can just login at main login screen with root and empty password
His profile definitely supports the idea that it was accidental but still, the uncoordinated disclosure of such an impactful vulnerability is a heckuva way to introduce oneself to the security community!
Infosec Lesson #1: Slow down and think twice!! 😆
LOL My thoughts exactly! Sheeesh.
Agreed, but still remarkable this company...this company...with more resources than any other...could let that happen.
oh sure. but it's not the first time a major security vulnerability has been found in a powerful/wealthy company's code and it won't be the last. After all, this isn't much worse than what happened with equifax :P
Equifax has never professed to be magical, or to have products that "just work" or to be on the side of the consumer in any way.
WRONG !!!! Do NOT listen to this COMPLETE moron!
Why. Chaos speeds up the process you know?
Yeah wtf, this is a fail on the part of the OP. Advertising security flaws enables exploitation, more than the flaw itself.
Nah fam. Public accountability is the best
Here's the email address - now that you've done full disclosure without trying to privately reach the company: product-security@apple.com
Whether he knew about it or not it is his finding and his decision. If it bothers you go save the world yourselves by bug hunting.
Isn't security part of Tech ? I mean.. plus, someone once said that "security through obscurity isn't security" 🤗 cc @Nodraak
I can confirm the behavior on my machine running 10.13.1. Absolutely unbelievable!
We'd like to take a closer look at what's happening. DM us with more details, including what type of Mac you're using. We'll look forward to chatting with you further. twitter.com/messages/compo…
Ok, you got a DM which includes a video that clearly shows the problem.
holy fuck
It looks like what's happening is that when you do this you're creating a root user with no password. Anyone who's tested this out should go disable the root user again in the Directory Utility ASAP.
Do you have any more info on how to do that? I’m poking at Directory Utility right now and it’s…intimidating.
terminal command `dsenableroot` also works
once you have Directory Utility open, go to 'edit' in the menu bar and then click 'disable root user'
Root user will just reenable itself. That seems to me to be what the bug is.
Yup, just saw that too.
Ah - looks like the trick is to change root’s password and disable the account.
Correction: change password and leave it enabled. Disabling root after changing the pwd reenables the bug.
Oh hi Jack! Came here for the LOLs - nice to see a friendly face. :D
\o How’s things? :)
Using root/empty password in the auth panel will reactivate root again.
Works on Screen Sharing as well.
seems that Enabling root user after that and setting a password (strong plz) shuts down this attack vector.
Good call, that's a better idea than disabling root (thus leaving yourself open to the original vulnerability).
So just using the root username enables the Root user with no password. Sleep Well SysAdmins.
For me, “sudo passwd -u root” and providing a non-blank pw auto-enabled root. According to @danielpunkass root must remain enabled w/non-blank pw or the vulnerability remains.
Well, guess I will forever be plagued by update notifications. Just kidding, I'm installing debian tonight. gg @Apple
🤦‍♂️🤦🏻‍♂️🤦🏼‍♂️🤦🏽‍♂️🤦🏾‍♂️🤦🏿‍♂️🤦‍♂️🤦🏻‍♂️🤦🏼‍♂️🤦🏽‍♂️🤦🏾‍♂️🤦🏿‍♂️🤦‍♂️🤦🏻‍♂️🤦🏼‍♂️🤦🏽‍♂️🤦🏾‍♂️🤦🏿‍♂️🤦‍♂️🤦🏻‍♂️🤦🏼‍♂️🤦🏽‍♂️🤦🏾‍♂️🤦🏿‍♂️🤦‍♂️🤦🏻‍♂️🤦🏼‍♂️🤦🏽‍♂️🤦🏾‍♂️🤦🏿‍♂️🤦‍♂️🤦🏻‍♂️
Works brilliantly
And you can even login with root user and a void password from the lockscreen...
This only works if you've already used the exploit I believe. By default root is completely disabled. Doesn't stop anybody from going on a guest account and performing it there though.
I think this is mitigated by the fact that mac's don't get viruses.
's/fact/opinion/g'
Did you report this to security@apple.com ?
Confirmed on multiple machines. You can set a password for the root account to mitigate in the short term, but this is pretty serious :/
This is something we'd like to know more about to see how we can help. What type of Macs are you using and which specific version of macOS are you running? Tell us the details via DM. twitter.com/messages/compo…
this is a security feature, so NSA can easily make us safe.
Apple, the Microsoft of the 2010's
His middle name is Donald btw! 😅
Steve Ballmer? Rings a bell? That was a joke. There you have it now lets laugh.
I already knew that – I was making another joke (Donald Trump? Rings a bell?) 🙃
I wish so bad that you were wrong...
isnt this what weev went to prison for
😱😱 two clicks is all it took!
You should probably delete this tweet and report this vulnerability through proper channels. But thanks. Thanks for putting so many systems at risk. 👍
Your mindset prevents
Confirmed on multiple machines. You can set a password for the root account to mitigate in the short term, but this is pretty serious :/
Your sentence is incomplete.
Deleting the tweet would/might prevent @cweagans from finding a solution. It's true that the tweet should have never been sent. But, once the information is out there, it's out there.
That I understood. Thanks. And agreed, but damn. Think before you tweet.
lol - I think the word's out at this point.
Yeah. I get that. Stupid.
Think before you tell someone who isn’t yourself what to do
I've already retweeted it So much for that idea
Yup it works, we just did this on our Mac in our forensic lab
Thanks. We've confirmed this on 2 Macs & are writing it up. Procedure creates new Root account, no password, runs root commands w/o sudo.
Is this remotely exploitable? And can it bypass FileVault (EFI login prompt)?
I haven’t managed to get passed FileVault with it yet…
I don't see any reason it wouldn't be exploitable if you have screen sharing enabled.
This is remotely exploitable through screen sharing (tested in our office). SSH does not appear to be affected as best I can tell.
MAY also be exploitable through file sharing (didn't test) or anything else that uses the same authentication mechanism as the login screen / preferences unlock.
(Re: SSH, Apple appears to default to "permitrootlogin without-password" so sshd just nopes out of any attempt at sending a standard password)
Does it work if you just type root as username from the login screen, when you have Display login window as “Name and password” set (should be the default with network login)? support.apple.com/kb/PH25800?loc…
On High Sierra when I authenticate to screen sharing as root it asks if I want to log in or request permission to view the screen. Select log in & you get the regular login screen. Click "other", log in as root w/o password - works as advertised.
Oh, so before you even have control of the screen?
Yeah, at the initial screen sharing prompt "root" is apparently valid as authentication credentials. (At which point you can go to the login screen and log in to a root desktop session as with the local exploit.)
I don't believe you can grab the currently logged-in user's screen (at least without their knowledge/consent), but you can get on the machine as root, which means you can go rooting around any unencrypted files they have. Just as terribad!
Argh. So it doesn't matter which users have been granted remote access as long as screen sharing is enabled? I hope I am wrong, but sounds like you could literally do a port scan over a network and compromise any Mac that has screen sharing enabled?
OHAI TO PORT 5900? I CAN HAS LOGIN?
So like go to a Starbucks / university / public WiFi, port scan for 5900 and go wild??? Can't be. Right? 😬 @SwiftOnSecurity
How terrible you think it is? It is in fact very slightly worse than that. (Both in that you'll pick up OTHER THINGS running VNC that may have no security at all, and in that Apple's remote control stuff has "other features" for code execution)
so ... this is part of apples rdp tool. not only can you see/control the desktop, but you can RCE and run reports and whatnot.
MAY also affect file sharing (pretty sure that uses the same auth layer as the initial screen sharing prompt).
When you return to login screen or reboot, there's a new user called "Other," no face. Select that, type in "root" as username, " " as password, bingo.
That's bad. Without the remote exploit this would just be a shortcut for booting in single-user mode and setting the root password (I don't think that's blocked by default?).
Without the remote exploit it's merely bad (local root at the console - fine, just don't leave your machine unattended unless in a physically secure location). With the remote exploit it's terrible (remote root anywhere if a vulnerable service is running).
And yes by default you can go into recovery mode and zap passwords - physical console access trumps pretty much anything except FileVault or other encryption schemes. THIS lets you bypass encryption: if the user is logged in and their homedir is mounted root can poke around in it
If it bypassed FileVault where would the decryption key come from?
Yes, exactly. File Vault cannot be affected
The computer literally does not have the information required to unlock file vault of you don't provide it
That's a nice assumption to make. :)
One of the reasons my FileVault doesn’t unlock with user credentials, but rather a completely different password.
i don't know if this only happened because i already tried it from System Preferences but it also works from the login screen.
You get logged in as "System Administrator"
Wait, so everyone that’s been trying this out on their computers now has a spare, passwordless, root account on their machine? 🤦‍♂️🍏
or, you know, they created a root account with a freakin password - which is just as easy. sudo -u passwd root … …
Is Sierra also affected?
What login button? The only way I login is by hitting enter. Can you explain the steps taken to reproduce what you're seeing?
In English button reads "Unlock" in System Preferences login window.
Okay. I have unlocked, but am unable to create users or do anything as root. Can you do anything damning with this ‘exploit’?
1. Are you sure that there was no root user before? 2. How do you confirm? 3. Does removing the root user (without first securing with a password) recreate the vulnerability? 4. Same question with a password. (somehow none of my High Sierra machines are vulnerable)
1) yes 2) ran "periodic daily" in Terminal w/o sudo 3) dunno but would prolly leave you vulnerable 4) dunno. but 5) if you create root user WITH password using standard method, that should mitigate issue
Right, we've got mitigation done at this point. Now it's about science. There really should be a site for coordinating the crowd sourcing of information about zero-day exploits. Like @StackOverflow for decision tree development.
Did you password-protect your account? Because I'm pretty sure that the default behaviour is the creation of root user with the same password. If you didn't set up password at all it makes sense that you can sudo without password
We didn't intend to create a root account at all. That's kind of the point. Nor would we have need admin privileges to do so
I Tried do it and works. But when I'm trying to make new account (with admin access or not), it doesn't work.
easter eggs yay!
crap, works on mine!
ryan do something!
Works with Keychain Access... OMG
Works with "Other User" from login window... 🙃
We'd like to work with you to figure out what's happening. DM us with what type of Mac you're using, along with your current macOS version. twitter.com/messages/compo…
It seems pretty self-explanatory, @AppleSupport. Have you tried it yourself on THE COMPUTER YOU ARE USING RIGHT NOW?
This also works with keychain access..... Confirmed on 10.13.1
Can you try to log in the machine using root without password?
You can bypass. It works on 10.13.1. Also note you can screen share bypass or remote manage bypass.
It worked for me on MBP Retina 15" mid 2014, macOS High Sierra 10.13.1
Now THAT is frightening.
Doesn’t apply to remote login. I just sshed on my machine (which unlocks like yours) as root and you can’t leave the pwd blank.
I don’t never ever allow remote root login.
A good practice that I keep too. But I take nothing for granted when Apple leaves root wide open for local exploit in a shipping OS.
HOLY SH!T!@!#! Totally works.
depends on who you are and what you're doing
If you’re looking to pwn some macs, then it’s good.
A handful of software engineers at Apple right now...
1. "oh let's just try login in as root without a password." 2. "oh let's try again" 3. "oh lets try a third time" 4. "wow it works" 5. Profit
Only happens if the root user is not enabled through DirectoryService, which is the default... OMFG
You really should've emailed them at product-security@apple.com and disclosed/reported this responsibly...
I’m sure many did.
This. Exactly this. WTF happened to responsible disclosure?!
What happened to the bug hunter gets to choose how he releases his findings? Not thrilled with his methods? Get to finding bugs!
Right. He doesnt work for Apple. Discovered for free. And this method of public exposure you can bet your ass a patch well be high prioritized
I'm not on High Sierra, myself, but could somebody try setting a password for root and see if that mitigates it?
this will also allow you to decrypt FileVault. this is so bad.
Yes but after the disk is already decrypted obviously
Why wouldn't you use responsible disclosure here? :| :|
Can you log in from the login screen, or (per your screenshot) is it just authenticating admin actions? I'm assuming if you have FileVault enabled, this works only *after* unlocking the drive?
You can login as a root user, with full permissions so you can view and modify any user account directories and files etc
Checking now. It even unlocks keychain... this is not good.
Great find! Adding a root password fixes it!
yeah, about to tweet
Haven’t tested FileVault though
I assuming you can’t get past FileVault with this, since the root account hasn’t been specifically enabled for FV access. (Still terrible, though.)
Noice back door 👌🙈
Not reproducible on my MBP.
Correction: it freakin' does!
Confirmed on my machine after the third attempt, logging in as “root” on macOS High Sierra v10.13.1
NSA would like to thank you for erasing yet another of their back doors.
Not sure it works via ssh however
Doesn't seem to work for me? Although unlike default I *do* have a root password set, so auth is actually just failing instead of succeeding against a disabled account.
Please look up "Responsible Disclosure". You just made the problem worse.
One possible hotfix to secure your machine is to set a password for the root account. Either via the command line or the system preferences.
you can even login to the root account with no password to desktop level
is twitter the future of QA?
oddly, I can’t replicate this on my High Sierra setup
Have you put your cursor in the password field? I needed to do that to reproduce.
Ever heard about single user mode???
Classy way of reporting security issues. The way to go...
Lol, it seems like @Apple just have lost few thousands corporate clients. I’ll tell our security team about this vulnerability.
Why do you tweet about this, like you called it, huge security issue instead of contacting apple via mail in first place ? With this tweet you made this issue even bigger. Not very responsible.
It's not his job to be responsible for these issues. I understand where you and many others are coming from, but it was on Apple to get this right. Honestly, Apple deserves to be blasted for being so careless. Let the people know.
Exactly. This is not a security issue, this is a joke.
Responsibility comes with finding this kind of flaws … Sure it’s apple job to prevent and fix those issues, but there are many people out there who depend on a „safe“ OS or work in security related jobs … And this is not helpful.
Can you say with certainty that nobody was aware of the issue before this? Attempting to login as root twice is all it takes. Because of this tweet people are becoming aware of the issue and workarounds to make their system ACTUALLY secure. Being ignorant of the it isn't secure.
Maybe Apple is now acting faster than if they would have contacted them directly, but I still stay with my arguments.
Responsible disclosure is about protecting people. With it, you might have a handful that know of a vuln, and a patch before it becomes public. Without it, you rely on everyone getting the news fast enough to implement defenses before the script kiddies get you.
Great explanation, thanks :)
I’m curious what you think about how yahoo and under privately handled their hacking situation? Maybe if someone publicly blew it up when it happened then peeps would b protected earlier
Yahoo and uber
There should be a statute of limitations. For instance when Googles security researchers find a vulnerability they give manufacturers 30-90 days to fix it before they publically announce it. Whether or not they fixed the vuln, they announce it
I've said it before, but in most cases, I completely agree with this approach. But this vulnerability is both so easy to discover and so easy to fix that I think that it makes more sense for it to be public knowledge. It's more urgent for APL, and admins are able to fix it quick
I'm with Cory. Fabian comes off as a self-righteous prick. In actuality it could be corruption that needs to be pointed out. So as a civil duty, I believe it should have been posted on twitter. That's my ethical view.
I do think this could have been pointed out privately first, but I also think it's possible that people already were aware of it. Why wait for Apple to get around to it when the exploit is potentially already being used in the wild? That's what makes this case different for me.
I need to help everyone come to terms with this OSX root issue on the responsible disclosure Vs. pulling the disclosure fire alarm. so in the interest of preventing a full on pro and against debate let's focus on the the shit that really matters in #infosec 2 Words ROYAL WEDDING
pls point out the responsible disclosure hyperlink/contact info: apple.com/macos/security/ if the table isn't set well, not unreasonable to expect unintended consequences... not earthshattering QbD, risk management concepts
macOS - Security
macOS is designed with powerful, advanced technologies that work together to keep your Mac and built-in apps more private and more secure.
apple.com
Attempting to login as root when root has no password. This isn't a common case.
Sure, nobody with any sense would assume or expect something like that to work. But that doesn't mean nobody's going to try it. If nobody has ever tried it, we wouldn't all be here, would we?
if you depend on having a "safe OS," then you should blame Apple for releasing a broken product, not the person who pointed out it's broken. public disclosure is how you distinguish a safe OS from one that merely has good PR
I think if there's a vulnerability that likely nobody else has ever discovered, then it makes sense to first attempt to privately disclose it before sharing it with everyone. However, this exploit is just so simple that I truly believe it's very possible people already knew it.
And despite that, isn’t there this unwritten rule of letting the company know before making it public ?
Wanna bet apple already knew about it and was going to slip a fix in?
don’t waste your time, cory has probably never read a single article about security :)
Again, I don't think it should apply when the exploit is so easy a three-year-old could discover it. Ultimately, I do think most issues should be initially brought up privately, but for something this blatant I don't think there's a point.
Dont worry... they can afford the compensations despite the huge taxes they are paying....🤔🤔
Yes, Apple ideally wouldn't have shipped it and it's up to them to fix. Announcing it publicly, though, is going to screw a bunch of Apple _customers_ for no good reason. Fault and blame are one thing, responsible choices are another.
The only reason- the SINGLE reason that I don't think it's so bad that this is being spread so quickly is that the fix only involves enabling and setting a password for the root user. I don't think that's more inconvenient than having this vulnerability and not know about it.
Blast them, but at least let them fix the issue before you blast them for the ridiculous oversight. Seems pretty simple.
Disagree. These issues should be made public so that everyone is aware of the vulnerability.
Have you reported any bugs Fabian? Please enlighten us on your experience with the process and the timelines involved?
Oh whatever. they do something that dumb, flay them out in the open, I say
since the fix is so easy, its better to be public about it
Congratulations, you don't understand computer and network security. If they didn't tell people, then it would stay a hidden exploit until Apple quietly patched it for those that bother updating. Now it's a big thing, people see it and apply the fix when ready.
Or selling it in the black market. There is a huge money making opportunity lost here.
You just ruined thousands of illicit gaming sessions.
As much as I love yearly os upgrades to add more spy software, maps, and emojis this is ridiculous!
setting a password for root seems to prevent it from working
You did privately disclose this to them first, right?
You didn’t just tell a guy who found something what to do with his finding, right?
Responsible disclosure is the most important part of disclosure.
That is an opinion. I happen to share that opinion but full disclosure still exists and ultimately it is the discover’s choice.
^^^ avoid the corporate push to shift the moral burden on to the researcher instead of the software producer (to the detriment of the users)
they talk about it as a moral burden so no one notices they cut costs/corners on security. apple is the most profitable entity to ever exist and their bottom line is not my moral responsibility.
This cuts right to it. Bad people with vulns doesn't hurt public perception, disclosure does. Hence this rhetorical trickery.
Indeed. The flood of morons blaming OP instead of Apple is grating. This sort of culture only allows companies to hide from their responsibilities for longer.
Thats maybe true, but with that (inaproppriate) disclosure he just might loose around 30k $ from the bug bounty program. Maybe think twice before going around the way-to-go?
There is no macOS bug bounty
An inappropriate disclosure? It might be a “tough disclosure” because it affects many people but in the end it is just a disclosure
Yes, inappropriate.
To all you developers liking Phil’s comment I want to see your bug bounties by tomorrow morning goddamnit
Responsible disclosure is a choice, not a requirement. Heck, half the time it doesn't even work at all and makes everyone less safe by delaying action. In this case? The vuln is trivial enough and embarrassing enough (but limited; needs local access) that I'd say it's a wash.
Exactly and not to mention that many researchers have faced legal threats and prosecution.
This does not require local access. It's exploitable remotely if "Screen Sharing" is enabled. Other sharing services may also be affected (authentication bypass).
By that do you mean the authentication bypass on the *initial* connection to the screen or just escalation once already connected?
For Screen Sharing it's both: You can auth as root in the initial request, which gets you to the regular login screen (also affected by the bug, so you can log into a desktop session as root)
for other services, I haven't tested it but I assume you could auth as root to e.g. AFP/Samba shares, bypassing normal user permissions checks.
That's pretty fucked up; implies the problem is deep in the bowels of the authentication system. Has anyone tried SSH? Still, this is so ridiculous (and trivial to find) I wouldn't have given them more than 14 days to fix and roll out the fix before full disclosure.
afaik nobody has gotten this to work over SSH. That is a huge relief for many, I'm sure.
Apple's SSH ships with "PermitRootLogin without-password" as its default, so it shouldn't be affected. (PermitRootLogin should just be "NO" IMHO but apparently nobody does that except me…)
(PermitEmptyPasswords is also "no" by default, so it would fail on that check too.)
thank goodness.
According to you To others disclosure is the most important part of disclosure
Maybe apple should open up their bug bounty to the public so there could have been responsible disclosure 🙄🙄🙄🙄
Preliminary tests indicate that if you change the root password, this no longer works. Thanks @curi0usJack for testing!
Changed root password here and it's still working...
Change the root password, and leave the root account enabled. That seems to fix it for now.
Wow….this actually worked. Scary.
Set a password for the root user: sudo passwd root I've had this as standard practice on all of my Mac's for a while now, guess it saved me.
Why ... You have something to hide then?
It's called good security. Do you lock your doors because you have something to hide? Or maybe just that you want to ensure people have permission to enter? It's just common sense/best practice to be secure.
I did too. I didn't like the idea that it was on there "disabled" with some default password... I changed it immediately when setting it up. Turns out that was a good idea!
This is not the way to report security issues.
Shit like this is why I wait for a point release to upgrade after a major OS release. Apple’s MacOS QA is *abysmal*.
I would really suggest deleting this and contacting Apple's bug bounty program ASAP.
The Internets never forget ...
Thanks for pointing it out to the entire world.
Can't reproduce on 10.13.1
Rootless is so secure
You guys have really messed up. I'm hoping you're going to reimburse us for this MEGA issue #Apple
Reimburse what? macOS is free software that comes bundled with overpriced PC hardware.
Reimburse customers for their overpriced flawed laptops. It's a mega vulnerability for Mac users!
Oh you sweet summer child. Come back after you've read your EULA, dear.
It´s neither free in terms of money nor free in terms of the definition of free software
Nothing new ;) Elevated privileges included!
We tried this and successfully reproduced the defect, but I think it's mitigated by explicitly setting a password for root by `sudo su -` and `passwd` from the shell.
wow really putting a lot of computers out there in the wild at risk with this tweet, huh
yes, @lemiorhan put them at risk. Not Apple for actually creating the issue. Now people are aware and can actually do something about it. Read the thread. If you set a password for root, the system is safe.
so are you saying that researchers should just publicly disclose all vulnerabilities now without trying to go through private channels so that the company can patch this issue?
That's not what I'm saying. For cases like this where the vulnerability is so easy it can be found out by complete accident, it should be publicly known. Especially when all it takes is setting a root password to mitigate the issue.
Yes! geezuz
Not a Mac person, forgive the noobness. How does root not have a password? Assuming all remote access, root is disabled. Is root only accessed via sudo like stuff when you need elevated privileges.
Apparently the bug makes it so when someone attempts to login as root, the root account is enabled. Therefore, the second attempt works.
On most Unix systems (including Linux, Mac OS, BSD, etc), you can have the root account "login-disabled" such that you cannot log in as root. (I have all my Linux boxes set that way.) You HAVE to use sudo or equivalent. That's the normal state on a Mac, but this breaks it.
Because Apple took everything good about FreeBSD and threw it in the bin. (that didn't take long)
Actually my fiance works for Apple in Ireland. Making it public is the worse thing you can do. Reporting it via the proper channels is how to do it. Now that this is publicly known, helps the hackers more than the users. Very irresponsible post.
You're assuming nobody already knew about this. It's crazy how many times I've had to point this out but this could be discovered by ANYBODY (including the "hackers" you speak of) by complete accident.
I’m saying it’s the finder’s choice for responsible disclosure or full disclosure. Ethical quandaries be damned it is his finding not yours
For every tweet that mentions this, you can be sure there's thousands of attackers that never will.
I think that's on Apple for shipping a fucking Linux OS without a password for root. If this guy knows it, who else has, and has been actively exploiting it? Perhaps now it'll be patched faster.
I suspect this is because the root password is empty by default. A workaround would be to set it by opening Terminal and doing `sudo passwd`. And yes, this is an absolutely terrible bug regardless of this workaround.
yes-ish: The root account has no password by default, but it is disabled in directory services by default so you shouldn't be able to log in to it anyway.
Nice. I like how you just... tweeted it out.
Whoa! Houston, we have a problem.
This is actually a bit scary. I guess the cat is out of the bag now, but I still recommend deleting tweet. Biggest Mac vulnerability I have ever seen
Unable to recreate this on 2 macs and 2 different virtual machines for testing software.
Why the hell would you publish this on Twitter, instead of notifying Apple privately?
for internet points, obvs
The bug hunter gets to choose how he releases his findings. Responsible disclosure exists, so does full disclosure. It is his decision.
Are you sure he didn't?
Doesn't matter. He shouldn't put this out publicly until a fix is deployed. That's common developer courtesy. He just did this for cheap internet points.
Just in - #Apple #MacOS High Sierra and #iOS11 first and second place in competition to be "As Buggy As Windows ME"
Definitely not working for me, maybe it only works if you haven't changed the root password?
You can even use root with empty password on the main login screen by selecting "Other..."
“we’ve decided to outsource our QA team...to twitter”
Mitigation seems to be to disable "Name and password" logins and fast user switching. This way at least the screensaver is protected. Filevault seems secure too this way.
Trouble is when an option to log in as a guest is allowed. Then you’re not protected anymore.
This also gives you unfettered access to the System keychain, which contains Wi-Fi passwords and BTMM encryption keys
It'll unlock the keychain on the first try, too
Maybe report to the company first before disclosing on Twitter and exposing many people to a 0 day exploit.
Ugh. @apollozac - have you seen this?
yep, unfortunate, setting a root user password is a workaround, we’re posting a guide shortly
Now #apple needs to come up with excuses & tales which -media agrees to parrot -Nontechnical folks believe -Fanbois paste for Apple webwide
On the upside, setting a root password with the Directory Utility is fairly easy, because you can exploit the bug to unlock the utility in the first place.
When in Rome, I suppose.
Yo dawg I heard you like business in your business.
I just disabled root login.
I think you "just made yourself vulnerable". The root user password is not being compromised. A flaw is CREATING a root user with a blank password. You need to create a root user yourself to prevent this.
looks like my root user’s not activated - does that mean i dont need to do anything?
You condition is thought to be what enables the exploit. A flaw in the Security (or UI) stack creates a root user with no password. Creating a root user and setting a password prevents this.
okedoke - thanks
The solution is to not use a mac to begin with.
I ‘m wondering about the pay back of money spent on hard drives replacement !! Such as mine ??
This happens when profit mongers start messing with the code in the perfection of Linux !!
Darwin is based off BSD, not GNU Linux, please!
All stable OS's are Unix based ! ~ is my point, until some monger starts playing with it, then we end up with shit like windows !
Trying the “Change Root Password” in Directory Utility isn’t working here. We had to sudo passwd root On the terminal. That was the only way to get it to work
Great quick response, but incomplete. You need to explain why a root user with a password should be created (& confirm that having no root user is a vulnerability). & explain why Guest User should be disabled.
I see you updated the "Guest User" and "Name and password" login window info. Also, replace steps 1-5 of Changing root password to "Use spotlight to search for 'Directory Utility'". Good work!
Or use "sudo passwd root"?
Or use "sudo passwd root"?
Sorry, I see it in the video.
What if the Root user is NOT enabled?
does the user have to be unlocked?
Oh come on. I tried on 10.13.1 without setting any root password. It doesn't work. Maybe your forgot to update from 10.13.0?
My first reaction: how can you have a mac and not change the root pwd the first minute? I tend to forget that most “normal” people haven’t the faintest idea that OSX is Unix, or what that means. Hiding the complexity has a cost.
This is what bug bounty programs are for - why are you posting this publically so other computers are now at risk?
may not be, but now the entire Twitterverse is. Great job, A+. 🙄
Nice, faut que je teste
Confirmed. Worked as well.
That's bad. Lol.
..."It just borks..."
Trying this out while logged in enabled my root account. Yikes - that makes this issue a billion times worse. Make sure you disable your root account. Follow these steps: support.apple.com/en-us/HT204012 (but disable instead of enable)
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
you might want to see this
This is according to some people on HN exploitable remotely through the "screen sharing. app"
To my understanding this enables root user, which is disabled by default and has no password. If you try to replicate it be sure to set password to your root user by doing "sudo passwd root". You can disable root user when @Apple fixes this issue.
It actually works!
Doesn't work in my laptop
What version of High Sierra are you on? I'm on a beta build and this doesn't work for me
It works for me! HS 10.13.1 on Rmbp mid 2014
🤣🍎👾💀☠️
How about that lock screen though? ¯\_(ツ)_/¯
Doesn't work for me. OS X 10.12.6 Just put root in user name and click couple of times?
OSX 10.12 === Sierra, this is for High Sierra (10.13.x) only
/usr/bin/osascript -e 'do shell script "whoami" with administrator privileges'
Pretty sure @Apple announced the OneClick BlankRoot feature during their macOS High Sierra reveal. Here is the clip from the WWDC 2017 Keynote: 🤣
Anyone using Apple products deserves to be hacked!
Oh fuck. Log in as "guest" > system prefs > users > root...
In-Thread Reminder: Turn off Apple Remote Desktop / Screen Sharing on affected systems. This is exploitable remotely if that is enabled. SSH ("Remote Login") does not appear to be affected as best I can tell.
Changing root Password would be the better advice in case someone needs Remote Desktop?
I suppose it really depends on the situation.
This also works, yes. On a Real Unix my advice would be to set the password hash to "*LK*" or similar to lock the acount. Disabling the account DOESN'T work (the bug seems to be that it ships disabled but gets enabled by the system without asking, and has no password by default).
Shamelessly stealing!
How do you mean?
There are a couple of similar ones that have cropped up already. Here's one
Nothing new ;) Elevated privileges included!
That so many have appeared is evidence for the obviousness of the joke. That particular tweet appeared 8 minutes before mine and is from someone I don't follow.
But more to the point: when I heard about this, I raced to my app store to see what version I was on. Speaking as someone who made the joke, this joke writes itself.
Hey, I agree with you. Just the messenger!
No. Not at all ashamed. Didn't steal this.
Nothing new ;) Elevated privileges included!
I'm on High Sierra 10.13.2 beta and can't reproduce this.
Did you change your root password to something other than the default already? I did and it didn't work for me either.
Nope, turns out I had to try it twice and mash the return key, then it worked for me. So I just reset my root password now as a precaution.
Serious question: why not disclose responsibly through hackerone.com/apple or other channels rather than on twitter?
that both ethically better AND worth some cash
Tbh I am pretty sure the bug is going to be fixed wayyyyyy faster this way ;)
But this type of "discloser" greatly increases the chances that this bug is used in the wild.
especially when it’s so easy. Spike in laptop thefts today I bet 😜
If you saw someone left their keys in their front door, would you let them know by calling the news? Or would you maybe knock on their door so the whole city doesn't find out first?
I will call the news... They know how to scary the populace.
Confirmed on a 2017 MBP running HS 10.13
I’m so glad you advertised this for the entire world to see. 😱😱😱
Ah someone else confirmed my suspicion. Lol @ all the people not changing their root password
Mac: Identify yourself. Guy-in-Ski-Mask: I am root. M: No you aren't. Identify yourself! G: I am root. M: "Well, OK. You haven an honest face."
This is the 2nd time I tried it in the same session, but even the 1st time, it only told me off *once* before allowing the 2nd try...!
Ovvv fenaymış..
I confirm that it is true and thats why I was threaten by Apple constantly to remove #QuitApple tweets
What a douche move! Report it to Apple first. Give them a chance.
Thank god it wasn't in Android or @AnttiKurittu would never stop talking about it!
Well, Topias - Your Android seems to have this feature. And its feature, ok?
Too late, and it worked :(..
Why didnt you report this to Apple's security team? Why go public first? #Irresponsible
I fully support @Apple suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman".
Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
No, there are ethical disclosure systems. This puts millions of computers at risk. You don't expose zero days like this. Apple will probably not sue them, but I would be fully supportive of it if they do so.
Apple has a track record of ignoring serious security flaws such as this, for months after private disclosure. I fully support this public disclosure, which informs end users about this serious security flaw. Apple has no basis for filing a suit.
You can publically report a bug if at least one week of no response from apple has passed. You’re not helping anyone with this you’re just allowing script kiddies to hurt millions of people.
Not everyone is an "ethical hacker." Software devs don't owe Apple such courtesies. Perhaps the blame instead belongs on Apple for not performing critical QA and testing?
Bugs happen, it is the nature of programming. The blame is on Apple, but that doesn't excuse this type of disclosure.
This public disclosure is fully excused by the sheer volume of bugs in Apple's software as of late. Perhaps they should do some beta testing before releasing their shit software into the wild.
Apple suing for what? For asking a question? 😂
So law defines ethics?
Nope, but it depends if something bad happens as a result of this.
If so, then Apple would need to hire some turkish lawyers...
Apple can’t sue him for tweeting them about *their* mistake. He hasn’t put anyone at risk, Apple did. They need to fix it, but they also need to test better.
He should have told apple, privately and then give them at least a week to fix it. This is unethical, and in some jurisdictions, based on previous rulings (precedents), illegal.
No, THEY should’ve got it right. He had the right to tell them or not, and via a channel of his choosing. If setting a root password fixes it, this is arguably better - it doesn’t need to wait for a patch, because people can see it and set a password.
I see you're a CTO of a company. If someone found a bug that put the data of your customers at risk, should they tweet about it? How do you think your future customers would feel about you essentially telling people to post security vulnerabilities of your service online?
I’d prefer they reach out to me, obviously. We’d deal with it immediately too. But I’m not a big enough ass to blame THEM for data loss caused by OUR bug in that instance. I would certainly not consider suing someone for damages caused by my own team’s incompetence.
And, if they told my customers so they could take defensive action themselves, that would not seem unreasonable.
You do not control how a bug hunter discloses his findings. What type of power do you think you have Twitter user 194738294739?
Better that someone tweet about it than sell the exploit to nefarious actors on the darkweb The error comes when you write software that has such a serious bug, not when someone discovers it
apple should be paying the man
Yes they should! Only if he gave them enough time to patch the issue.
they deserve it for their weak bounty program
He doesn't have to do that He has no responsibility for Apple's security They have billions they can spend on their own engineers He's free to announce it on Twitter or put it on a billboard Don't try to police other people's behaviour
"Hey, the government made a mistake and this is how you easily print paper currency that looks exactly like original. "
This isn’t currency printing, this is “Mac users, set a root password because Apple QA dropped the ball and anyone can log on to your machine as root”
The logic stays. Exploiting other people's errors is sometimes punishable.
There was no logic to refute. He hasn’t exploited anything - he’s publicly warned people how NOT to be exploited.
No he didn't say how not to be exploited. Read his tweet again.
Irrelevant. Nobody needs to follow the norms of “ethical hacking,” especially people who never claimed to be such and who may not work in infosec.
100%. This wasn’t a complex, deeply hidden, hard to exploit thing needing a dedicated exploit kit found by an infosec researcher. It’s a login button on the lock screen, which you have to press after forgetting to put in a password.
yeah, nobody needs to do anything man
To fix MacOS High Sierra Passwordless Root Account issue, create a password for the "root" account. isc.sans.edu/forums/diary/A…
That is a pathetic take. Everybody in the business knows how this goes. All attackers know it and only a fraction of the possible victims know it. Also, where did he explain how to not be exploited?
To fix MacOS High Sierra Passwordless Root Account issue, create a password for the "root" account. isc.sans.edu/forums/diary/A…
2 hours after disclosure :)
And your issue is... what? That he failed to follow a set of rules you and others he didn’t sign up to made up, which he may or may not be aware of, and didn’t tweet as fast as you think he should? Wow.
My issues is that he (together with Apple) made whole bunch of machines exploitable.
With disclosure, end users have the ability to secure their machines, instead of believing in a false sense of security. Don’t blame the messenger.
Also the defense that he, as a software developer, does not know a thing about software security, is very limited.
I think people don't understand that we're not saying Apple wasn't responsible in this. We're saying you took an issue and made it 1000x worse.
You’re saying the guy who found the bug and told people about it, deserves to be sued. I think you don’t understand what a douchey position that is. In this country we have freedom of speech.
Freedom of speech != Freedom from consequences... Seriously is it coming down to this? I thought at least we would understand that.
Actually, it does mean that he cannot he sued for his speech, which in this case, was informing Apple’s users that we had a false sense of security due to Apple’s poor software development.
No, it means the US govt can't sue him for his speech. It does not mean a private company can't do the same.
They can sue, but cannot win.
If Apple sued, the case would be dismissed immediately due to having no basis. Where and when did he agree, in a contract wherein value was exchanged, that he would not disclose their software vulnerabilities?
I am not a lawyer, and will not comment on this.
I’m an accountant, but I feel perfectly free and adequately informed to comment.
That's up to you. I live in the United States and I'm not allowed to give law advice.
Made it worse and also lost $200k :)
Apple's Ivan Krstić at #BlackHat2016 announces the new bug bounty program, with impressive payouts.
No, *apple* made them exploitable - by clicking “login”. This was not a zero day, highly technical vulnerability which only nation states would’ve found otherwise and from which most people were safe via obscurity. It’s *a login button*.
And the whole concept that Apple would even have standing to sue him is asinine. In what world is that a crime? In what would would any judge find the user who disclosed this at fault, for a bug/vulnerability Apple left untested and open?
Regarding your forgery example, forgery is a crime. Making Apple uncomfortable is not. Yet...
I think the argument is more so that it was an unethical way of disclosing the bug. He should have contacted Apple, and if the bug doesn't get fixed in a reasonable amount of time, then you disclose it to twist their arm, but this just increases the risk of attacks.
And I’d agree with that if people couldn’t fix it themselves - if you’re waiting for a vendor patch, disclosure is bad. In this case, you can self-fix. But even then, those aren’t *laws*, just infosec community guidelines - he’s not obliged in any way to follow them.
The problem with the self fix is only 5-10% of users are going to be technically inclined enough to apply it unfortunately.
Not everyone signed up for the rules of ethical hacking. Why should a software dev who is unaffiliated with Apple care about protecting Apple’s reputation?
...BY USING CRAYONS. If we’re going with the currency analogy.
That's also not illegal as far as I know. Guides on how to build illegal machineguns aren't.
I am not defending the legality take. My apologies if it looked like that.
I also tweeted later that I wish I sticked with unethical. Sorry about that.
Lol ethics and law are very distinct. You can’t be going suing people for saying “hey look it’s broken” This may have been wrong, but definitely not illegal.
Law depends on precedents and different jurisdictions, I can't tell for sure where this person lives. It definitely was wrong, and in some cases, illegal.
Apple put millions if computers at risk by getting it wrong, this warning has a relatively easy workaround that people can do, so it might be just as good to tell everyone and have them make a root password than wait for a patch
Software bugs happen. Are you saying you can write bug free software?
no, I'm saying don't put the blame on someone because he announced it. I'm saying that discovering a bug that has an easy workaround and making it public is as good if not better as sending a private message to apple about it.
By making it public you're allowing script kiddies to potentially attack millions of devices.
by making it public you're allowing people to protect themselves by finding a fix, you think this is a bug that's hard enough to find so that someone with ill intentions didn't know already?
By keeping it private, you disempower end users, turning them into sheep who have a false sense of security. Again, I don’t think the guy is claiming to be an infosec professional, thus, your rules re:disclosure don’t apply.
Ethical disclosure is great for those who get early notice. It also allows Apple to prepare a press release saying "only occurs in outdated software" - which will be technically true by that point. It's crap for literally everyone else.
You're an idiot Amir. Apple shipped an OS without a password for root. Don't be so stupid. Your fan boy is showing. If you were a responsible engineer you'd understand what a colossal fuck up this is.
I understand this is a huge error, can you explain why (irrelevant of company) making it public helps those that aren’t tech savvy as opposed to script kiddies? Genuine question
Because if he knows, others likely know who are actively exploiting. You can mitigate immediately via Terminal: > sudo passwd root Set a password you remember, and this epic Apple failure is FIXED. Meanwhile Apple has an update lifecycle where you may be exploited in meantime.
Exposing it allows a non-tech-savvy person to be aware their information is not secure, while incentivizing Apple to act quickly. In this case, the end user is also informed as to how to maintain security until Apple releases an official fix.
Thank you. Anyone can immediately: > sudo passwd root And your OS X install is secure. Otherwise await Apple PR to polish up the biggest turd of a mess I've heard and an update. This is a Linux derivative that was shipped w/o a password for ROOT! This is NOT okay.
That's not a solution for the millions of end users out there.
He didn't design the OS, or forgot to set a root password. That's on Apple for the masses. If an Infosec guy knows this, this crucial immediate fix is for high security environment macs who can't wait a week for a fix buried within an update.
I agree it’s great for a minority of confident users but the majority are going to be sitting ducks.
I see the logic and understand the point. I’m not sure in practice it’ll work this way as people need terminal confidence to fix, the majority of users won’t be in this space. I hope you’re right on the incentive side
Put it this way, you can decrypt HDDs, and do pretty much anything with the root password. If a casual security researcher knows, time is of the freaking essence. Not everyone uses Macs as a casual user, these are in high security environments. They shipped a Linux OS w/o root PW
Sure! Glad you asked. I'm not sure at the extent of this, this can potentially be used by programs running as root to remotely execute code. I completely agree making these public is good! But this should happen at least after a week has passed over reporting the issue to Apple
Sorry for the angry reply, but that takes an update cycle, followed by Apple's PR to polish up how a Linux OS derivative was shipped w/o a root password. A page is already up informing users to set a password with one Terminal command. End-users are entitled to an immediate fix.
I never said this isn't a fuck up. I'm not a fanboy of any company either, I use devices from essentially every major company out there. This disaster was made much worse by providing the details about it without Apple providing a fix for it yet.
Couldn’t agree more, seriously irresponsible putting this out like this.
Apple thanks you from the bottom of their money pit. Sigh.
please leave the internet
hah get bent, then try to understand a tiny modicum of law.
Seriously, this is dangerously irresponsible. Somebody tell me this isn't the very first disclosure of the bug to Apple.
I was kind to others but you sir, get fucked where you stand.
you're autistic. literally, you're one software dev that needs to kys.
Which just shows how stupid you are. Apples bug bounty program is not open to the public, its invite only.
Then isn't contributing to this discussion also partially responsible for publicizing the issue? It makes it trend on twitter, so since we're casting blame here...
It's like suing man who was shouting fire instead of notifying cinema owner and patiently waiting for outcome.
there's a big difference between yelling "FIRE!" (being a good samaritan unto others) and irresponsibly disclosing a security bug.
Oh get off your high horse Amir.
A sheep riding a high horse is quite impressive tbh.
Amir is a sheep
I would like to clarify my point here. I should've just stuck to the fact that this is "unethical". Apologies about that point.
👍 security through obscurity.
Under what legal theory would they be suing him?
Try understanding 'full disclosure', then read any papers by @0xcharlie then try commenting on a subject of which you have more than a vague notion.
Oh please. Do you know how long bugs sit in Bug reporter without seeing any attention? I still have a bug from 2013 sitting there. Apple doesn't care.
You are one savage S.O.B
I must be "doing it wrong". Can't reproduce it as described.
So this requires physical access to the machine... so not exactly a big deal unless you're hiding stuff from someone.
Not true. I just browsed other Macs on my local network and established screen sharing with root/no password.
Holy sh*t it works..... wtf
You mean it doesn't work. ... Apple securitat...
Something does not work for sure but logging in with root works:-(
Just logged in into my MacBook by using root on the login screen! Unbelievable
For now logging in as root (or doing sudo su) and changing the root password locks me out of just logging in as root though. (Temporary) solution
it appears that if root isnt enabled, whatever you enter in the password field will enable root with that as the password. Tried multiple times, works like a charm.
It works with Keychain as well to show passwords. I wonder how long it will take for Apple to release an update.
my guess is 24hr. Maybe 48.
Special feature to please Richard Stallman?
haha it works tested on a couple machines here
Because fuck responsible disclosure....
omfg, wtf @AppleSupport i just tried this and it unlocked my preference.
And you disclosed on twitter vs privately to Apple because....?
I'm a GNU/Linux user, so I obviously find Apples vulns hilarious and everything, but, uhhh... Responsible disclosure?
The man @lemiorhan gets his two minutes of fame at the expense of others. Nice one.
We have nothing to hide how about you?
Stumbles upon dangerous radioactive basketball....starts pickup game with entire prison yard
Why would you disclose it like this? Software developer should know better.
People saying "at least it's not remote"... yeah it is. I was able to just connect to a co-workers machine as root and it did not prompt them for permission or anything.
oh god...🤦‍♂️
No, OSX screenshare. SSH did not work for me.
It sucks big time. Thanks bro.
it’s just like the guest account.. but only for friends you *really* trust 🔒
Why in heaven’s name are you disclosing this on Twitter????????????????????????
... even better than „goto fail“ - sigh 😔
Great find but why tweet it? 🤨 Contact Apple
Works from any system keychain authentication too, not just in users and groups.
veja essa falha grotesca de segurança do High Sierra
Post saindo em instantes.
Uuuuh what fancy name are we going to give this? Rootcanal? BiPASS? RottenApple? The Rootening? So many bad puns!
This doesn't seem to affect macOS Sierra 10.12.6 (16G29) nor High Sierra 10.13 (17A291m). They just stay at the login box.
thats the proof of concept build according to DOJ specifications
Can confirm on 10.13.1 - can authenticate in System prefs, can log in as root from lock screen if fast user switching is on. Changing root password via terminal prevents it.
Worked for me after using enter key instead of mouse clicks to get the root user to stick
Mac OS X High Sierra is
This is bad...you can prevent this by changing the root password open terminal -> type passwd press enter and enter a new password then conform it. If you can't find terminal, search for it using spotlight.
A temporary fix found/suggested by @DanFrakes - do the following and add a password to the root account
It works, I did it on my Mac
Yeah and please fix the calculator as well !
I'm on 10.13.1 and was not experiencing this result by clicking several times. I did, however, notice that by changing the focus from the User Name to the Password field (while still remaining blank) and just clicking the Unlock button *once*... I was able to get in. 😬
I disabled root login.
This it’s reckless before even try to contact Apple directly ! PRÍVATE
this is.... not good....
Holy fuck this is legit 🔥🔥🔥🔥
So maybe this was part of a new @Apple law enforcement back-door arrangement with @FBI?
Just tried it. Worked on second try! Not good
We are root.
Fix for the #apple root bug: 1) open Directory Utility app (via Spotlight or other) 2) Click lock to make changes, log in with admin account 2) Click Edit -> Enable Root User 3) Click Edit -> Change Root Password… 4) Set a password 5) Do NOT disable root user!
2) Type in „root“ as username, click „Modify Configuration“ a few times
Yeah that's the more "radical" approach :) Don't know if this has other unwanted side effects though, which is why I left it out.
I just couldn’t resist, sry 😂
You can also do it over the command line and it works. sudo passwd root
Yes. This was meant for the average noob :P But I'm also not sure in what "enabled" or "disabled" state this leaves the root user and if it works in either previous case.
You're right to publicly expose this back 🚪
holy shit. it works!
It just works
This is pretty bad! Especially because even if you “Disable Root User” through Directory Utility the process explained by @lemiorhan re-enables root access. @AppleSupport @Apple @savtwo These guys are going to love this: @siracusa @caseyliss @gruber
Do not disable, just change (set) password
Yup! Thanks!
curious if this works if you have macOS configured with a username/pw field (like, say, a computer lab with network accounts)
Works for me! Hah.
its just the master password for the @NSAGov :)
glad i’m still on sierra where i can’t reproduce this
Were likes and retweets that important to not contact Apple privately and wait for the vulnerability to be patched before publishing the exact steps?
I'm wondering how did you find it
I only had to hit enter once, click out of the password field, click back into the password field, click enter a second time and I was in!
To the people who this is working for, are you on a fresh install of High Sierra or did you upgrade from previous versions?
As a software developer you should know better than to do this publicly. I think you just opened yourself up for irresponsible disclosures at your company.
Hi Lemi - reporter for BuzzFeed News here. Could we chat about this issue? davey.alba@buzzfeed.com
Oh nonononono nonono nooooooooo
Is nobody reviewing their code?
really fucked up vuln and really fucked up way to disclose it
Holy shit, this is bad!
Confirmed... Sigh. Poor QA practices affect all software companies, no matter how large they are or how much large their market cap.
Similar bug on Apple iPhone devices (#iCloud removing) - entering wrong passcode several times it can bypass iCloud screen and allow customer to activate device. Easy iCloud unlock.
If you disable the option to type in your username and password at login this will prevent unauthorized access after screen lock or restart.
Was able to reproduce on 10.13.1 on a '15 MBP, able to then login, and also BYPASS FULL DISK ENCRYPTION AT BOOT (:
Kinda tmp fix: Login screen click `Other...`, login with root (empty pwd) and change password in system preferences.. I just hope it didn't break something else..
Seems to be fixed in 10.13.1
There is a reason we have product-security@apple.com
it also works from non admin accounts from the same machine
Oh my. This was confirmed on two machines here too. Thankfully, we don't use High Sierra in production anywhere yet.
CIA is but didn't tell anybody.
Talking about safety, this may not have been the smartest way to disclose this. A private message to Apple would have sufficed.. But all the credits to you..
Check Directory Utility. Root user is enabled (and by default has empty password). I didn't enable root previously but it was on. Disabled root user and now the repro doesn't work.
Confirmed on fresh new MacBook Pro 💩💩💩
Wow, I was also able to replicate this. This is not good...
To apple: WTF?! To yall:Responsible disclosure much? To everyone at an Apple store: yay! To hackers: pay I haven't tried this yet...brb ;) #infosec #opsec #cyber #apple
(No comment)
works in 10.13.2 Beta as well.
way to do responsible disclosure?
C’est moi qui ai retweet ! Mais clairement un OS en mousse 🙄
Je l’avais vu RT avant par quelqu’un d’autre c’est pour ça que j’ai pas vu le tient! On va voir comment ils gèrent la com ^^ Vous arrivez à reproduire le bug?
This is how huge security issues should be handled. WITH PIZZAZZ.
Deactivating doesn’t work. It will be activated again :)
Does it also work for unlocking FileVault at boot time?
so funny, nice one @lemiorhan
This actually works from the login screen too. "Setting up your mac" and voilà, you're logged in as root.
Sorry Apple but this is so dumb that it deserves to be on Twitter 😂
Worked for me, too. This is unbelievable.
Or ‘sudo passwd root’ in terminal.
It has been years for such a security issue... Si Apple..
Works for me on the first time on the 'switch user' / login screen too. Absolutely horrifying, how does something like this get missed.
For those outraged he disclosed this on Twitter, if someone found a vulnerability on a Toyota that caused it to burst into flames by pushing the brake a certain way, wouldn't you want to make sure as many people as possible knew about it so they STOP using the vehicle?
(No comment)
hooo leeee shit
Apple is losing its fastball. This is sloppy as hell.
Don't reproduce this on your Computer unless you know what you are doing!!!
Chill, there is nothing that can go wrong here
Well ... if you do you'll have generated a root w no pw that is shell accessible.
And that user hasn't been there before. So trying the trick does change your OS in a way.
I assure you that root always exists on any *nix
Probably a good idea to disable root from the Directory Utility or Change Root Password... Looks like the Root account was left enabled with no password on High Sierra by default.
Root account comes disabled by default. The problem is this procedure enables without user consent. The only true workaround is to leave root account enabled and change its password.
If you disable root, it will be enabled again if you type root in login.
Wow. Just. Wow.
I reckon it will play out something like this
Support is almost useless for BRs —Apple evidently has a real security team somewhere. *GROAN*
It's too bad this wasn't reported via the offical security channel, unless it was and ignored
How did you figure this out?
Accidently pressed enter key I guess?
This is hugely irresponsible, @lemiorhan.
Hahahahahahahahahahahahaha... *gasp* Aaaahahahahahaahah!
tested this at our studio on several networked and outnetworked machines. security flaw is real. 😮😵
this is a huge fuck up are you going to admit it or what?
won't be happy their backdoor has been found! "I told you to make it 6 clicks you idiots not 3!"
C’mon @Apple, you know you can do better!!
it worked at first attempt... oh dear good @Apple =(
Haah! better focus on Security first instead of Emojis!
It's @Apple ; you're just not using root permissions correctly. :-)
Holy cow, worked on first try.
Can confirm vulnerability is present in 10.13.2 Developer Beta v4 !!
Same here! Verified with my MBP 15” mid-2017
Tested with @bluelogon and @F52C877B This is... beautiful :D
In fact it's required to use the hack of System Preferences before use the login screen !
I am on a subway platform w/no Mac in site. Does this legacy shit work? developer.apple.com/legacy/library… % dsenableroot -d username = [your username] user password: dsenableroot:: ***Successfully disabled root user.
Nope; root is disabled by default, this enables it and sets a blank password. Verified on my machine. Best mitigation RN is enable root and set a password.
Never met a matt I didn't like. Thanks. - matt
you’re welcome! loved your talk at strange loop btw, been eyeing some of those grants/opportunities.
Security testing tools, 2017 edition.
Literally thought this was some sort of joke until I tried it myself. This is not so much a "security hole" as "a complete absence of any sort of security".
that's some windows NT type security, sadly to be expected with proprietary hardware
Set a root password (I think you can do it from Directory Utility). Any password. That will fix the problem.
Might sending an email be slightly more responsible than tweeting?
Was able to replicate in terminal with three tries.
Ya hiç sorma dangalak bu Apple ya :)
Just tried this! Good lord! It works :O
[TempFIX] - change the root account's password. Please share it with world asap
(No comment)
It even works from the login screen. Just change Display login window as: Name and password, logout of your current user and type in root, hit enter and you're in the system!
osascript -e "do shell script\"mkdir /THISIZSERIOUS\" with administrator privileges" Fill in root and hit ENTER. #nosecurity #notesting?
Here’s a solution: don’t update to high sierra
(No comment)
Is it authenticating the password for an [unprotected] SSH key? Had that happen in Linux.
Congrats with your 5 minutes of fame. Next time please try the responsible disclosure procedure. Thank you.
You might want to check this... it's erm... embarrassing!
Glad I havent updated yet!
You - at least by now - know that there is a more responsible and constructive way to deal with such findings properly, don't you?
just checked, damn, it works, logged in with root username
works for me too. macbook 12 2016. macos high sierra 10.13.1.
Confirmed on High Sierra 10.13.1 and 10.13.2. Can't believe this is actually happening.
Yep, it works for us.