Convopage
See the entire conversation
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
1,128 replies and sub-replies as of Nov 28 2017
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable!
It gets even worse! You can login with “other account”, type root with no password and you’re in!! Crazy!
+1 same issue.
It works!
I does not work for Yosemite!
HOLY SMOKES, I just got my Mac mini to do it. My jaw is on the floor. I can't believe this.
+1 (beta)
It seems like it's related to the amount of time the dialog has been open? I'm having better luck when I switch away and then come back after a while.
haberin vardi ve @MertSARICA soylemedin degil mi :)
Jesus Christ this should not be a thing
Can’t get it to happen on the latest beta
omfg it worked.
Oh dear Luna. I’m so glad I haven’t updated to High Sierra.
Not functional on Sierra 10.12.6
Confirmed High Sierra 10.13
confirmed here too. two tries.
It enables the root user (as evidenced in Directory Utility) without a password.
I bet if you enable root & assign a password, it’ll be a suitable workaround.
dsenableroot - just what I was looking for.
Weird that root can authenticate when it's "disabled" anyway ...;) But thanks for good tip!
Confirmed on 10.13.1 after 2 tries… even stranger because I had previously set a root password on this system.
Setting a new root password seems to prevent this
Buuuut if you disable the root user it seems to reset and it works again with no password after 2 tries.
So the option for now is to leave root enabled with a strong password.
Confirmed High Sierra 10.13.1
Confirmed it on 17C83a (10.13.2) latest pushed dev beta
Can this be done via the logon screen or only in an authenticated session?
Tried a dozen times at the login screen: didn't activate the root user. Also didn't work with an active session and lock screen. 10.13.1
Can confirm.
Holy crap - what the hell. It works basically everywhere. Even with Firewall and FileVault 🙄
can't get this to work... 10.13.1 (17B48)
On the same version, 10.13.1 (17B48) and it works after a couple of attempts (6 or so).
Oh my various gods and goddesses this is bad. BAD @Apple!
Unlocked on the second click for me. What the fuck @AppleSupport ?
This is why I wait like 2 months before moving to the latest MacOS
Cannot reproduce on High Sierra when logged into a non-root admin account, fwiw (dialog says "enter your password" not "enter an administrator's name and password")
Huh. Could not reproduce either way, nor from main login screen. BUT just realized this mac is on original High Sierra not the .1 update, perhaps that is the key
have read it's confirmed for 10.13+
no, that's right - "your" b/c you are already an admin, "an administrator's" if you were on a regular user account
Damn..!!! MacOS Sierra 10.13.1 confirmed... #CyberSecurity #wtf
huh. Can't reproduce on 10.12.6
Buddy above just said if he changes the password, and leaves the account enabled, it stops the bug
What do you think people will do? Change your wallpaper without your permission?
It works. Holy Moses! @Apple !!!!
Wow, how does this "slip" past QA or general common sense testing?
Wow, this is so bad. Looks like it doesn't work if you set a password for the root account.
10.13.1, it works with keychain access too!
Um, not on High Sierra machines at my work - are you sure that isn’t someone’s management setup (as bad as that is)?
It works for us. This is not gr8.
HAHAHAHA oh this is gold.
its more than gold,no need to hack iOS full access is there
Literally just tried it here too. Got straight in, first try.
Works on a completely standard High Sierra machine here. Ooer
Just checked, works, on first try.
This is not good.
Let's take a closer look at what's happening together. Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there. twitter.com/messages/compo…
I mean, the whole internet kinda wants to know now, so maybe meet us here?
Hah, that's a pretty good response.
I guess that the FBI got what they wanted after all.
*slow clap* Yeah no what's with this let's take this in the back nonsense @AppleSupport...
Imagine working @AppleSupport and getting this ticket assigned to you. You might want to send this one to escalation :D
Well played, Ma'am. 👏
Hahaha nice
I mean, the whole internet kinda wants to know now, so maybe meet us here?
Company policy, I’m gonna guess
It happens for everyone...
Resetting the password for root to something else “fixes” the vulnerability. I just tried and it worked.
Yeah, I did this, but not everyone knows how to
*4 hours later* we have no idea what's happening
Are you serious? Every macOS High Sierra version up-to-date on any device...
In case anyone who sees this doesn't know how to fix this (at least temporarily) or haven't seen the fix posted elsewhere, here's how to -
Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.
sudo passwd -u root
Enter your password then a new password for the root user.
Anyone got a better fix?
@SwiftOnSecurity @rotophonic @pwnallthethings
Can confirm. Don't disable root user because OSX reenables it after a few login attempts.
Swiftly pretending nothing major is happening 😂 Get it? #devpun
It’s reproducible on every damn Mac. This is a disaster.
Maybe you should talk about this here, you know... since the whole interwebz knows about the flaw.
What version are you using?
High Sierra, 10.13.1.
If you have “let administrators unlock screen” enabled, this works at screen unlock too. Only took 2 tries.
🤦♂️
You can log in as root w/no password from the main login window. Highly suggest everyone do so and change the password (which you can totally do)
Confirmed on version 10.13.1 on 15 inch MacBook Pro Retina. "It just works!" takes on a whole new meaning @AppleSupport
oman. it's hard to even watch this.
Oh snap! Works on my computer!
A “root force” attack, if you will.
Workded also for me
Open Terminal
sudo su -
passwd
done
Couldn't get this to work on my mother-in-laws mac running 10.12 Mac OS Sierra. Just on work my computer running High Sierra.
Just affects HS 10.13 pre-latest-beta.
Thanks for confirming. Much appreciated
Seeing reports that it “works” up through 10.13.2 b4 (no word on 5 yet)
In addition, if you disable root/change password on root via Directory Utility it appears to prevent this
Just worked for me on 10.13.1 on an 11” MacBook Air. Unlocked to make changes to users with root and [blank], successfully changed the password of another admin account as a test.
sadly just reproduced it on a mostly clean install
We are installing a new vanilla 10.13 VM right now to test unmanaged setup. (Stay tuned if you want)
If you go into directory utility and change the root password, does this still work? Just curious for those testing compromise.
Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.
sudo passwd -u root
Enter your password then a new password for the root user.
Anyone got a better fix?
@SwiftOnSecurity @rotophonic @pwnallthethings
No it will not work if you have set a root password.
This doesn't work for me either. Disallowing root login ( best practice ) stops this. IMHO: If you aren't changing the root passwd / disallowing it's login, you're at fault, not Apple.
lol you're insane
The OS should be configured to be as secure as possible with default configuration. It should not be default for root to have no password and still be able to authenticate by password.
For business this is obvious. For Uncle Joe with a new Mac from the Apple Store? Not so much obviousness…
I'll buy that. And John I agree. However, I feel that while this is bad, it also sheds light on a bad user habit.
It appears that hitting enter in the username field after "root" produces the reported result. Clicking the login button does not.
in termnal wont let you login via enter and I dont agree with you, other than terminal you can login by either way
you can enter any iphone using root with no password _fu-k how to stop iphone login
100000% true and tested and it give us full control over Apple device #quitApple
We'd like some details to assist. Send us a DM with the macOS this occurred on and your country and we'll continue there. twitter.com/messages/compo…
tested 4 high sierra machines, all seem to unlock with root un
It works
Fuck.
If you have the guest account enabled you don't even need a user account.
Permanently unlocks the root account to log in from the log in screen.
i could only get this to work if i had the text cursor in the password box (without typing anything). if i had the cursor in the username box and left the password field empty, it doesn't work
Fortunately it doesn’t work via SSH.
legit
Same, 2nd try.
Worked after 5 attempts. Jesus Christ.
Confirmed in High Sierra 10.13.1.
Must click really fast, but it can be reproduced rather easily
Better: type “root” in the user name, then tab to get the focus on the password field. At this point, click like crazy on “unlock” button.
We'd like to look further into this with you. Please DM us details on the issue, and we'll see why this is happening there. twitter.com/messages/compo…
Confirmed v10.13.1
Workaround - go to Terminal, run `sudo passwd root` and set a root password. That prevents a blank password from working.
When root passwd is not set, "sudo passwd root" accepts as the current password any password.
not reproducible here (High Sierra 10.13.1)
Workaround => Go on Terminal, login as root (sudo su) and change (create) password with passwd command
Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.
sudo passwd -u root
Enter your password then a new password for the root user.
Anyone got a better fix?
@SwiftOnSecurity @rotophonic @pwnallthethings
We'd love to gather more information about this would you mind DMing us which version of macOS High Sierra you're using and what country you're currently located in and we'll go from there. twitter.com/messages/compo…
This seems like something you should be across already. The concept of changing a default password.
This has got to be one the most ridiculous loopholes- Shame on @Apple
My fix is to install Linux. Always.
#HopeThisHelps
#Linux
Yep, that's my usual choice for Macs.
Another solution will be to follow Apple instructions to enable root user with password. It's basically the same with GUI.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Of course in this case root user will be enabled already, so instead of setting the password you should change the password from nothing to something strong.
Confirmed this in-fact works.
It's important to NOT disable the root user afterwards, making you vulnerable again. Also, GUI method for enabling & setting password:
Fix for the #apple root bug:
1) open Directory Utility app (via Spotlight or other)
2) Click lock to make changes, log in with admin account
2) Click Edit -> Enable Root User
3) Click Edit -> Change Root Password…
4) Set a password
5) Do NOT disable root user!
Da fuq it works
Sudo - Make me a sandwich. #xkcd
C'mon. There is no such thing as security once you have physical access to any machine on any OS. At best you got root, at worst you can always wipe the whole drive.
On High Sierra when I authenticate to screen sharing as root it asks if I want to log in or request permission to view the screen. Select log in & you get the regular login screen.
Click "other", log in as root w/o password - works as advertised.
You mean there are people who expose their screen sharing ports open to the public Internet? Sorry, but they deserve it.
Not trying to minimize the seriousness of the issue, actually. But there's just no way anybody could perform this on any machine in my LAN from outside. And inside the LAN, with classic management tools the problem is already fixed and forgotten about, even on tens of devices.
Intuitive UI actually. Physical doors + locks also give up when you try hard and often enough. :P
Can confirm this worked for me, and only on second try.
Can confirm on 10.13.2 Beta (17C79a) that's pretty bad
We're here to help! Send us a DM, and we'll take a closer look at this issue together. twitter.com/messages/compo…
does NOT work on 10.11.6
Can't get it to work on 17C79a here, how did you check it?
System preferences, users and groups, lock in the bottom right. In username type root leave password empty. A 2nd box should pop up asking for admin details once again type root and leave password empty.
*bottom left
I just tried it on a Mac.
Logged in as "guest" then did uid/pwd "root/[blank]" you suggested. Worked after hitting return twice. Allowed me to change network settings.
To DISABLE root, or to change the root password, please follow this article.
support.apple.com/en-us/HT204012
However, Apple, it would help if "root" was disabled by default.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Doesn’t seem to do the trick. You can still continue without a pw and it seems to re-enable root.
Setting a pw for root seems to work. Disabling root does not.
***
root *IS* disabled by default. This bug works even if root is disabled!!
***
The only way to mitigate right now is actually to enable root and set a password.
Technically, it works if root is enabled with a blank password too (obviously), but my point was that disabling root is ABSOLUTELY not a workaround.
We're here to help! Send us a DM, and we'll take a closer look at this issue together there. twitter.com/messages/compo…
AFAIK you can prevent root login by only allowing a list of users to login on the main screen? Is that correct? E.g. not configuring for the "Name and Passwor" prompt
Just tried with no success. It's macOS 10.13.1 without APFS. Root user is enabled, but password has been changed.Has the root user been enabled on the Directory Utility and password set for this?
I only had to enter twice.
I was unable to reproduc on any of my macs
does not work here
I can not reproduce.
Oh god, please fix this asap @Apple
I had to try 5 times, on the 4th time it showed me another popup and it worked.
Hackerman
works even when Guest User is off! 😮
We'd like to gather some more details via DM to figure out the best path forward. Tell us what type of Mac you're using, along with your current macOS version. We'll keep an eye out for your message. twitter.com/messages/compo…
10.13.1 MBP mid 2014 15” Retina worked
Running "sudo passwd root" and setting a root password mitigates that until official fix.
e'yup, confirmed.
Bonus: go back and do it again, you only need to hit enter once. Oh, you’re root? I trust you. Here you go.
This is not the password-less future we all had in mind.
Resetting the root password disables the bypass.
Speak for yourself! My inner evil hacker had this password-less future in mind all along!
Two of my Apple devices (both on 10.13.1) are responding differently. One unlocked after 2 tries. The other I've tried roughly 20 times with no success.
Unbelievable, yes! And how the F could this have been added to the OS? What possible bug could have allowed this? Seems intentional.
I don't want people to see what porn I watch.
WTH indeed works here hope apple gives you a big reward
Not yet upgraded...
Why was this not shared with Apple privately via the reporting tool ? What good does blasting on twitter do?
Not working here on 10.12.6
Yeah just reproduced here too, wtf.
Way easier if you just hold enter, fucking what
Denke darüber solltet ihr berichten...
Tab into password field then press Enter.
GG Apple. QC is all but gone. Latest iOS is buggy AF.
Looks like this is only a local issue that requires physical access to a macOS system? or is there any remote (RCE) risk?
well actually...
Confirmed on High Sierra 10.13.1
If you set a password for the root account it fixes the issue
Worked on first attempt for me.
The solution to this would probably be setting a password for the root user.
Confirmed on 10.13.1
My 6 year old kid brought me iPhone 6s on saturday morning, unlocked. Shocked to see that, I went under settings and found out that TouchID AND pin have been disabled/deleted.
Have reported to Apple, waiting for a reply.
(No comment)
rip your bug bounty chances
Microsoft had a pretty similar issue with Windows XP, too ^^ (unpatched version)
It appears you have to tab off the User Name onto the Password field for this to work.
Just set a root password? Open terminal, sudo bash, passwd root. While you’re at it, audit accounts in /etc/passwd and check for blanks in /var/db/dslocal/nodes/Default/users/*.
(No comment)
Whaaaa! 😲
Still on Sierra, safe for now
****** @Apple almost a trillion dollar company - seriously!!
*sigh*... and this is why we responsibly disclose vulnerabilities in things. Our whole estate of systems at my workplace now vulnerable for days or weeks while we wait for a patch because this bloody moron decided public disclosure is funny. Fuckin' cheers mate.
“Think” different
It's fake positive. Every if you "unlock" changes, you can't do anything, Have a look:
Empty root password bug on macOS HS
Empty root password bug on macOS HS
youtube.com
We have like 250 billion dollars in bank.
Reproduced by @fatedfox on 10.13.2 Beta (17C79a) same users and groups menu, but not on parental controls.
Noticed something about the behaviour, the first time you hit login, it changed back to the current user, entering root again and hitting enter led to a few seconds pause, then rejected the login but didn't reset the user, hit login once more and it unlocked
... Security advice: Do not leave your MacBook unattended :):)
Easily reproducible @AppleSupport
Macbook pro 15” 2016 version osx 10.13.1
Responsible disclosure is important. You could have emailed this privately and got credit, using info from here - hackerone.com/apple
It works!!! :/
It only works when you press Enter/Return. Do kot click on Unblock.
wtf.. login in as root without password works as well...
doesn't work on 10.12.6. guess I'll wait a few more months before upgrading... .
It takes a lot of #courage to ship root without a password...
Terrible bug, maybe the worst ever on macOS. This was a highly irresponsible way to report such a security issue however & now puts more people at risk. In the mean time ensure FileVault is enabled & shutdown after work.
Also, setting a password on the root account prevents it
This works for me too. Holy fucking security hole.
Hey dumb ass, maybe don't blast that all over the internet and instead privately report it to apple. Then once they fix the bug write up an article about how you found it to throw shade on apple. Don't tell the internet so everyone can try to mess with other peoples machines
Worked on first try! OMG moving to ChromeOS rn!!!!
have a look, mate
Do you see this for login, or just for post-login unlocking pref panes and such?
I don't know if anyone already posted this, but just set a password, logged in as the root user in the terminal via "passwd" and you are fine^^
This is some 80s computer flick BS right here...this is "oh no, what do we do?"/"Type 'OVERRIDE'" nonsense.
Unbelievable.
Tried 5 or 6 times on High Sierra. No go here. There has to be a logical explanation for the behavior experienced by others.
It works on 10.13.1 (17B48), really bad :/
Sierra 10.12 still strong
works on mine, eeek
exactly 👍
like windows uac, it's there for utility not security
seriously??!?! O_o
and apple is not even replying or saying anything to this!!
Thanks for reaching out. Send us a DM, and we'll look further into this with you. twitter.com/messages/compo…
While you are fixing OS X, could you also make "Automatically adjust brightness" checkbox "off" state work again?
Reset your SMC.
sure, resetting SMC is exactly the user friendly fix we all expect from Apple.
Reset your expectations.
Man is salty
After downloading Sierra on macbook pro 2012 with samsung solid state, logging in became more glitchy. Reset SMC, used recovery, drive was rendered useless. Sierra was designed to outmode anything where you could install your own drive on 2012's keeping it current
Let's see... That's the one where you hold down the x key with your middle finger while rebooting, right?
This response gives me life.
It Just Works (tm)
Technology.
Just do it
Will resetting the SMC actually work? PRAM sounds more like the logical solution
Settings > general > accessibility > display accommodations > auto brightness.... yes it’s stupid...
I prefer the in ability to control the input volume, I'm riding that Fader like I'm at the all night rave on the 1's and 2's on my meetings.
Yeah this priv escalation works just fine for me, please escalate this to your security team asap
While fixing this could you also sort out that perennial problem of PDFs trashing the eBook reader on the iPad? KtxBye
Guys don't hire lib art majors as your software engineers. :)
It also crashed my 2012 macbook pro within 1 month of installation. Login would reset and eventually could not be accessed at all had to use Recovery, still didn't work Firmly believe you guys did this to get people off computer that allowed new hard drive installation #THECLOUD
Could you also look into repatriating the billions of dollars in untaxed revenue to the USA? Thanks, you assholes.
This is bad you guys. Real bad.
Can you bring back diagnostic at system preferences to check WiFi? I really miss that!!
🤷🏻♂️
Confirmed I can reproduce
And can just login at main login screen with root and empty password
yep, I just did that as well.. oh boy… Click ‘Other’ User: root “blank password”… click login
presumably, you’ll still need the password to unlock if you have filevault enabled
but just ‘sleeping’? holy shite
How many users do you have on your mac? I have 1 with guest turned off and am not given the option to login as another user. (Still works in admin panel though)
also confirmed on 10.13.1 (17B48)
I was not able to reproduce this using 10.13.1. Afterward, I followed support.apple.com/en-us/HT204012 to inspect (without changing) whether there was a root user or not. There was not. Also, there is no "Other User" at login.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Reminds me of this gif
*flashback warning*
Loves it
Which version of Windows was this?
IIRC it was there in Windows CE
I wanted to say it was Windows 9x, but then I mainly used that at work back in the day and we didn't have a domain at work until much later (Windows 2000 era).
So. Youre saying that Win2k is harder to get into than High Sierra....
To be fair, you could have hit cancel to log in and the "Login" was for network resources and not the desktop itself.
It's right on the tin "password for Microsoft networking"
I hope they send you hundreds of thousands of dollars and an apology.
I hope they send nothing.. For not going through responsible disclosure, and instead exposing millions of systems.
The only way is up!
Takiliyorduk ne guzel, neden ortaligi ververeye verdin ki sen simdi?.
Works on login screen as well!
I doubt it. They're too busy adding emojis and shoehorning Siri into MacOS to notice actual problems.
They’re not the ones who “add” emojis. So many people don’t understand this…
No but doesn’t it always happen to be the first bulletpoint of every .x or .0x update or keynote presentation of the past couple years. Priorities.
I guess that’s true. But leaving out support for new existing characters would be pretty bad, even if admittedly not as bad as a security issue.
also it gets non-technical folks to install updates. Emojis makes everyone more secure.
Never would’ve thought of that one.
seriously, tho, it's a real thing. security professionals need to (and sometimes do) think about what gets others to install updates (which causes them to break their workflow etc) and giving them features they want and that you can cheaply enhance regularly is gold for that
Agreed. It is user centered design/development.
Yup. This is exactly Apple's strategy, and it's brilliant in that regard.
I hope they saved some for a rainy day, because this fix probably merits a few.
That’s one way to look at it. Though I’m more inclined to believe they do it because the non-technical users are their mainstay customer base right now.
double benefit
Those are the consumer's priorities, yes. If you think development priorities within Apple are holistically "emoji" because that's what they demo onstage then I don't know what to tell you.
They absolutely do add Emoji. Sure, the Unicode standard specifies the available Emoji, but Apple still need to illustrate them and add OS support. They don't magically appear.
Well, yeah, that’s what I was trying to say. Guess I worded it poorly. I mean it would be kinda bad for Apple to just say, “Nah, we’re not illustrating them.”
Yup. And they don’t just “add” them. They over-design the heck out of them like it’s 2007 PowerPoint clipart
They are the ones that animate them, in real-time, with facial motion capture though. Priorities? Animated poop emoji versus asking for a root password?
this will get hotfixed with a dongle
right. way too busy doing that
That's a pretty big security hole.
Confirmed after 2 tries. Holy shit, that's bad.
😠 also I have to reboot my mabook daily, sometimes twice a day. Thinking of going back to windows if my productivity and security is compromised.
Lol windows wont make you more safe 🙂
Yes, which is why I use OSX and have been doing so for more than a decade. I do not wish to return to Windows but I might be forced to.
You will have quite the conundrum...but I feel you Apple is clearly dropping the ball iOS 11 is another example of stuff going wrong or at the very least being rushed out the door
It doesn't just login, it enables the root account (which you can normally do via the Directory Utility) for everything.
Someone give this man a basket of muffins or oven baked cookies.
Lol. High Sierra impresses more every day
Can anyone see if this happens on a “low” Sierra? Just curious because I haven’t updated yet....
And yes, this is very bad ....
Doesn't seem to work on Better Sierra.
Glad but still sad - hey #Apple ???
I could not replicate this on MacOS Sierra 10.12.6 (16G1036). I'm definitely going to wait until Apple fixes this security hole. 🤦♂️
And we have lift off.... :facepalm:
Sometimes works the first time, sometimes takes a few tries.
Something's rotten in the authentication layer!
Is FEATURE: Forget your password? Just log in as root!
I mean I guess in Apple's defense it DOESN'T work with any of the regular user accounts on my machine, so their tests of the auth layer probably worked in that regard. But c'mon, you ALWAYS try root with no password!
My laptop at home is still (regular) Sierra, gonna have to see if this exists on the previous release too.
I mean it's not "better" if this bug just slipped into High Sierra somehow, but it's WAY WORSE if it's been there for a while.
Doesn't seem to work for me on Sierra
I'm honestly not sure if this makes me feel better.
I mean "YAY my laptop doesn't have a gaping local authentication hole!" but also "WOW this got through apple's QA process."
I was unable to replicate with Sierra.
(Yes @Apple, this level of what-the-fuck-did-you-do stupid is Panda Facepalm worthy.)
We'd like to look further into this with you. Please DM us any other details on this issue and we'll look closer into why this is happening with you there. twitter.com/messages/compo…
I just replicated THAT behavior over remote desktop/screen sharing.
Does this work if you click Cancel instead? Jk. Omg.
It's a feature. So they won't have to be involved when authorities need to unlock a mac.
NOT able to reproduce it on 10.13.2 Beta 5.
Migrate to #linux instead
Just tried and I was like...
Remember “it just works” 😅
A: responsible disclosure. B: mailto:product-security@apple.com
Probably more effective if you had used their bug bounty program for reporting. Apple Support = tech support, not security vulnerability reporting: developer.apple.com/bug-reporting/
always go directly to the company via private channels before publicly disclosing massive vulnerabilities like this.
There's a tried and tested procedure for handling situations like these: en.wikipedia.org/wiki/Responsib…
It is a pity it has not been followed. Most probably due to not knowing it, overall excitement and eagerness.
shame too- OP probably could've gotten a nice bounty from it.
imagine how much that wouldve been worth if you sold it on the black market.
plus we are to believe apple's testing is so piss poor that they didn't try this? easy backdoor, bet there are more and bet they are littered thru the un-secure junk tech they smash into our lives
Pretty sure this is excusable considering what it is. I'd even go as far calling this possibly intentional. If it wasn't intentional they should figure out a way to prove that..
I guess I'm not _entirely_ sure what precisely you're talking about here.
"intentional": the unfortunate disclosure?
Or the *cough* "feature implementation in OSX"?
meh, Apple has neglected the quality of their systems code for years. Worse than Linux, and I expect Linux to have local root holes, so this doesn't surprise/scare me, as long as it's not accessible via screenlock/login screens.
Maybe lighting a fire under their butts will help?
And can just login at main login screen with root and empty password
His profile definitely supports the idea that it was accidental but still, the uncoordinated disclosure of such an impactful vulnerability is a heckuva way to introduce oneself to the security community!
Infosec Lesson #1: Slow down and think twice!! 😆
LOL My thoughts exactly! Sheeesh.
Agreed, but still remarkable this company...this company...with more resources than any other...could let that happen.
oh sure. but it's not the first time a major security vulnerability has been found in a powerful/wealthy company's code and it won't be the last. After all, this isn't much worse than what happened with equifax :P
Equifax has never professed to be magical, or to have products that "just work" or to be on the side of the consumer in any way.
WRONG !!!! Do NOT listen to this COMPLETE moron!
Why. Chaos speeds up the process you know?
Yeah wtf, this is a fail on the part of the OP. Advertising security flaws enables exploitation, more than the flaw itself.
Nah fam. Public accountability is the best
Here's the email address - now that you've done full disclosure without trying to privately reach the company: product-security@apple.com
Isn't security part of Tech ? I mean.. plus, someone once said that "security through obscurity isn't security" 🤗 cc @Nodraak
wow this is so bad...
I can confirm the behavior on my machine running 10.13.1. Absolutely unbelievable!
We'd like to take a closer look at what's happening. DM us with more details, including what type of Mac you're using. We'll look forward to chatting with you further. twitter.com/messages/compo…
Ok, you got a DM which includes a video that clearly shows the problem.
It looks like what's happening is that when you do this you're creating a root user with no password. Anyone who's tested this out should go disable the root user again in the Directory Utility ASAP.
Do you have any more info on how to do that? I’m poking at Directory Utility right now and it’s…intimidating.
Thank you!
terminal command `dsenableroot` also works
once you have Directory Utility open, go to 'edit' in the menu bar and then click 'disable root user'
Root user will just reenable itself. That seems to me to be what the bug is.
Yup, just saw that too.
Ah - looks like the trick is to change root’s password and disable the account.
Correction: change password and leave it enabled. Disabling root after changing the pwd reenables the bug.
Oh hi Jack! Came here for the LOLs - nice to see a friendly face. :D
\o
How’s things? :)
Works on Screen Sharing as well.
seems that Enabling root user after that and setting a password (strong plz) shuts down this attack vector.
Good call, that's a better idea than disabling root (thus leaving yourself open to the original vulnerability).
So just using the root username enables the Root user with no password.
Sleep Well SysAdmins.
For me, “sudo passwd -u root” and providing a non-blank pw auto-enabled root. According to @danielpunkass root must remain enabled w/non-blank pw or the vulnerability remains.
Well, guess I will forever be plagued by update notifications.
Just kidding, I'm installing debian tonight. gg @Apple
🤦♂️🤦🏻♂️🤦🏼♂️🤦🏽♂️🤦🏾♂️🤦🏿♂️🤦♂️🤦🏻♂️🤦🏼♂️🤦🏽♂️🤦🏾♂️🤦🏿♂️🤦♂️🤦🏻♂️🤦🏼♂️🤦🏽♂️🤦🏾♂️🤦🏿♂️🤦♂️🤦🏻♂️🤦🏼♂️🤦🏽♂️🤦🏾♂️🤦🏿♂️🤦♂️🤦🏻♂️🤦🏼♂️🤦🏽♂️🤦🏾♂️🤦🏿♂️🤦♂️🤦🏻♂️
Works brilliantly
And you can even login with root user and a void password from the lockscreen...
This only works if you've already used the exploit I believe. By default root is completely disabled. Doesn't stop anybody from going on a guest account and performing it there though.
Did you report this to security@apple.com ?
Confirmed on multiple machines. You can set a password for the root account to mitigate in the short term, but this is pretty serious :/
This is something we'd like to know more about to see how we can help. What type of Macs are you using and which specific version of macOS are you running? Tell us the details via DM. twitter.com/messages/compo…
Apple, the Microsoft of the 2010's
Tim Ballmer Cook
I already knew that – I was making another joke (Donald Trump? Rings a bell?) 🙃
I wish so bad that you were wrong...
😱😱 two clicks is all it took!
You should probably delete this tweet and report this vulnerability through proper channels. But thanks. Thanks for putting so many systems at risk. 👍
Confirmed on multiple machines. You can set a password for the root account to mitigate in the short term, but this is pretty serious :/
Your sentence is incomplete.
Deleting the tweet would/might prevent @cweagans from finding a solution. It's true that the tweet should have never been sent. But, once the information is out there, it's out there.
That I understood. Thanks. And agreed, but damn. Think before you tweet.
lol - I think the word's out at this point.
Yeah. I get that. Stupid.
I've already retweeted it So much for that idea
Yup it works, we just did this on our Mac in our forensic lab
Thanks. We've confirmed this on 2 Macs & are writing it up. Procedure creates new Root account, no password, runs root commands w/o sudo.
I haven’t managed to get passed FileVault with it yet…
I don't see any reason it wouldn't be exploitable if you have screen sharing enabled.
This is remotely exploitable through screen sharing (tested in our office).
SSH does not appear to be affected as best I can tell.
MAY also be exploitable through file sharing (didn't test) or anything else that uses the same authentication mechanism as the login screen / preferences unlock.
(Re: SSH, Apple appears to default to "permitrootlogin without-password" so sshd just nopes out of any attempt at sending a standard password)
Does it work if you just type root as username from the login screen, when you have Display login window as “Name and password” set (should be the default with network login)?
support.apple.com/kb/PH25800?loc…
On High Sierra when I authenticate to screen sharing as root it asks if I want to log in or request permission to view the screen. Select log in & you get the regular login screen.
Click "other", log in as root w/o password - works as advertised.
Yeah, at the initial screen sharing prompt "root" is apparently valid as authentication credentials. (At which point you can go to the login screen and log in to a root desktop session as with the local exploit.)
I don't believe you can grab the currently logged-in user's screen (at least without their knowledge/consent), but you can get on the machine as root, which means you can go rooting around any unencrypted files they have. Just as terribad!
Argh.
So it doesn't matter which users have been granted remote access as long as screen sharing is enabled?
I hope I am wrong, but sounds like you could literally do a port scan over a network and compromise any Mac that has screen sharing enabled?
OHAI TO PORT 5900? I CAN HAS LOGIN?
So like go to a Starbucks / university / public WiFi, port scan for 5900 and go wild???
Can't be. Right? 😬
@SwiftOnSecurity
How terrible you think it is?
It is in fact very slightly worse than that.
(Both in that you'll pick up OTHER THINGS running VNC that may have no security at all, and in that Apple's remote control stuff has "other features" for code execution)
so ...
this is part of apples rdp tool.
not only can you see/control the desktop, but you can RCE and run reports and whatnot.
MAY also affect file sharing (pretty sure that uses the same auth layer as the initial screen sharing prompt).
When you return to login screen or reboot, there's a new user called "Other," no face. Select that, type in "root" as username, " " as password, bingo.
That's bad.
Without the remote exploit this would just be a shortcut for booting in single-user mode and setting the root password (I don't think that's blocked by default?).
Without the remote exploit it's merely bad (local root at the console - fine, just don't leave your machine unattended unless in a physically secure location).
With the remote exploit it's terrible (remote root anywhere if a vulnerable service is running).
And yes by default you can go into recovery mode and zap passwords - physical console access trumps pretty much anything except FileVault or other encryption schemes.
THIS lets you bypass encryption: if the user is logged in and their homedir is mounted root can poke around in it
If it bypassed FileVault where would the decryption key come from?
Yes, exactly. File Vault cannot be affected
The computer literally does not have the information required to unlock file vault of you don't provide it
One of the reasons my FileVault doesn’t unlock with user credentials, but rather a completely different password.
Wait, so everyone that’s been trying this out on their computers now has a spare, passwordless, root account on their machine?
🤦♂️🍏
or, you know, they created a root account with a freakin password - which is just as easy. sudo -u passwd root … …
What login button? The only way I login is by hitting enter. Can you explain the steps taken to reproduce what you're seeing?
In English button reads "Unlock" in System Preferences login window.
Okay. I have unlocked, but am unable to create users or do anything as root. Can you do anything damning with this ‘exploit’?
1. Are you sure that there was no root user before? 2. How do you confirm? 3. Does removing the root user (without first securing with a password) recreate the vulnerability? 4. Same question with a password. (somehow none of my High Sierra machines are vulnerable)
1) yes 2) ran "periodic daily" in Terminal w/o sudo 3) dunno but would prolly leave you vulnerable 4) dunno. but 5) if you create root user WITH password using standard method, that should mitigate issue
Right, we've got mitigation done at this point. Now it's about science. There really should be a site for coordinating the crowd sourcing of information about zero-day exploits. Like @StackOverflow for decision tree development.
Did you password-protect your account? Because I'm pretty sure that the default behaviour is the creation of root user with the same password. If you didn't set up password at all it makes sense that you can sudo without password
We didn't intend to create a root account at all. That's kind of the point. Nor would we have need admin privileges to do so
I Tried do it and works. But when I'm trying to make new account (with admin access or not), it doesn't work.
easter eggs yay!
crap, works on mine!
ryan do something!
We'd like to work with you to figure out what's happening. DM us with what type of Mac you're using, along with your current macOS version. twitter.com/messages/compo…
It seems pretty self-explanatory, @AppleSupport. Have you tried it yourself on THE COMPUTER YOU ARE USING RIGHT NOW?
This also works with keychain access..... Confirmed on 10.13.1
You can bypass. It works on 10.13.1. Also note you can screen share bypass or remote manage bypass.
Now THAT is frightening.
Doesn’t apply to remote login. I just sshed on my machine (which unlocks like yours) as root and you can’t leave the pwd blank.
I don’t never ever allow remote root login.
A good practice that I keep too. But I take nothing for granted when Apple leaves root wide open for local exploit in a shipping OS.
HOLY SH!T!@!#! Totally works.
is this good??
depends on who you are and what you're doing
Hacking Apple products
If you’re looking to pwn some macs, then it’s good.
1. "oh let's just try login in as root without a password."
2. "oh let's try again"
3. "oh lets try a third time"
4. "wow it works"
5. Profit
Only happens if the root user is not enabled through DirectoryService, which is the default... OMFG
I’m sure many did.
This. Exactly this. WTF happened to responsible disclosure?!
Right. He doesnt work for Apple. Discovered for free. And this method of public exposure you can bet your ass a patch well be high prioritized
I'm not on High Sierra, myself, but could somebody try setting a password for root and see if that mitigates it?
Yes but after the disk is already decrypted obviously
Why wouldn't you use responsible disclosure here? :| :|
Can you log in from the login screen, or (per your screenshot) is it just authenticating admin actions? I'm assuming if you have FileVault enabled, this works only *after* unlocking the drive?
You can login as a root user, with full permissions so you can view and modify any user account directories and files etc
If you use Directory Utility to then *disable* the account, can you use the same trick again, or is it blocked?
Enable the root user in macOS Sierra | Coolest Guides on the Planet
Here is how you enable the root user in macOS Sierra which is disabled by default. As an admin user launch System Preferences from the Apple Menu and go to
coolestguidesontheplanet.com
Checking now. It even unlocks keychain... this is not good.
Great find! Adding a root password fixes it!
yeah, about to tweet
Haven’t tested FileVault though
I assuming you can’t get past FileVault with this, since the root account hasn’t been specifically enabled for FV access. (Still terrible, though.)
Noice back door 👌🙈
Not reproducible on my MBP.
Correction: it freakin' does!
Confirmed on my machine after the third attempt, logging in as “root” on macOS High Sierra v10.13.1
NSA would like to thank you for erasing yet another of their back doors.
Doesn't seem to work for me? Although unlike default I *do* have a root password set, so auth is actually just failing instead of succeeding against a disabled account.
Please look up "Responsible Disclosure". You just made the problem worse.
One possible hotfix to secure your machine is to set a password for the root account. Either via the command line or the system preferences.
you can even login to the root account with no password to desktop level
is twitter the future of QA?
oddly, I can’t replicate this on my High Sierra setup
Have you put your cursor in the password field? I needed to do that to reproduce.
Get back on Windows #problemsolved
Ever heard about single user mode???
Classy way of reporting security issues. The way to go...
Lol, it seems like @Apple just have lost few thousands corporate clients. I’ll tell our security team about this vulnerability.
To DISABLE root, or to change the root password, please follow this article.
support.apple.com/en-us/HT204012
However, Apple, it would help if "root" was disabled by default.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Why do you tweet about this, like you called it, huge security issue instead of contacting apple via mail in first place ? With this tweet you made this issue even bigger. Not very responsible.
Exactly. This is not a security issue, this is a joke.
Responsibility comes with finding this kind of flaws … Sure it’s apple job to prevent and fix those issues, but there are many people out there who depend on a „safe“ OS or work in security related jobs … And this is not helpful.
Maybe Apple is now acting faster than if they would have contacted them directly, but I still stay with my arguments.
Responsible disclosure is about protecting people. With it, you might have a handful that know of a vuln, and a patch before it becomes public. Without it, you rely on everyone getting the news fast enough to implement defenses before the script kiddies get you.
Great explanation, thanks :)
So be it.
I'm with Cory. Fabian comes off as a self-righteous prick. In actuality it could be corruption that needs to be pointed out. So as a civil duty, I believe it should have been posted on twitter. That's my ethical view.
I need to help everyone come to terms with this OSX root issue on the responsible disclosure Vs. pulling the disclosure fire alarm. so in the interest of preventing a full on pro and against debate let's focus on the the shit that really matters in #infosec 2 Words ROYAL WEDDING
pls point out the responsible disclosure hyperlink/contact info: apple.com/macos/security/
if the table isn't set well, not unreasonable to expect unintended consequences... not earthshattering QbD, risk management concepts
macOS - Security
macOS is designed with powerful, advanced technologies that work together to keep your Mac and built-in apps more private and more secure.
apple.com
Attempting to login as root when root has no password. This isn't a common case.
if you depend on having a "safe OS," then you should blame Apple for releasing a broken product, not the person who pointed out it's broken. public disclosure is how you distinguish a safe OS from one that merely has good PR
And despite that, isn’t there this unwritten rule of letting the company know before making it public ?
Wanna bet apple already knew about it and was going to slip a fix in?
don’t waste your time, cory has probably never read a single article about security :)
Dont worry... they can afford the compensations despite the huge taxes they are paying....🤔🤔
Yes, Apple ideally wouldn't have shipped it and it's up to them to fix. Announcing it publicly, though, is going to screw a bunch of Apple _customers_ for no good reason. Fault and blame are one thing, responsible choices are another.
Blast them, but at least let them fix the issue before you blast them for the ridiculous oversight. Seems pretty simple.
Disagree. These issues should be made public so that everyone is aware of the vulnerability.
Oh whatever. they do something that dumb, flay them out in the open, I say
since the fix is so easy, its better to be public about it
Congratulations, you don't understand computer and network security.
If they didn't tell people, then it would stay a hidden exploit until Apple quietly patched it for those that bother updating.
Now it's a big thing, people see it and apply the fix when ready.
Or selling it in the black market. There is a huge money making opportunity lost here.
O boy...
You just ruined thousands of illicit gaming sessions.
As much as I love yearly os upgrades to add more spy software, maps, and emojis this is ridiculous!
setting a password for root seems to prevent it from working
You did privately disclose this to them first, right?
Responsible disclosure is the most important part of disclosure.
^^^ avoid the corporate push to shift the moral burden on to the researcher instead of the software producer (to the detriment of the users)
they talk about it as a moral burden so no one notices they cut costs/corners on security. apple is the most profitable entity to ever exist and their bottom line is not my moral responsibility.
This cuts right to it. Bad people with vulns doesn't hurt public perception, disclosure does. Hence this rhetorical trickery.
Indeed. The flood of morons blaming OP instead of Apple is grating. This sort of culture only allows companies to hide from their responsibilities for longer.
Thats maybe true, but with that (inaproppriate) disclosure he just might loose around 30k $ from the bug bounty program. Maybe think twice before going around the way-to-go?
Yes, inappropriate.
Responsible disclosure is a choice, not a requirement. Heck, half the time it doesn't even work at all and makes everyone less safe by delaying action.
In this case? The vuln is trivial enough and embarrassing enough (but limited; needs local access) that I'd say it's a wash.
This does not require local access. It's exploitable remotely if "Screen Sharing" is enabled. Other sharing services may also be affected (authentication bypass).
By that do you mean the authentication bypass on the *initial* connection to the screen or just escalation once already connected?
For Screen Sharing it's both: You can auth as root in the initial request, which gets you to the regular login screen (also affected by the bug, so you can log into a desktop session as root)
for other services, I haven't tested it but I assume you could auth as root to e.g. AFP/Samba shares, bypassing normal user permissions checks.
That's pretty fucked up; implies the problem is deep in the bowels of the authentication system. Has anyone tried SSH?
Still, this is so ridiculous (and trivial to find) I wouldn't have given them more than 14 days to fix and roll out the fix before full disclosure.
Apple's SSH ships with "PermitRootLogin without-password" as its default, so it shouldn't be affected.
(PermitRootLogin should just be "NO" IMHO but apparently nobody does that except me…)
(PermitEmptyPasswords is also "no" by default, so it would fail on that check too.)
According to you
To others disclosure is the most important part of disclosure
Maybe apple should open up their bug bounty to the public so there could have been responsible disclosure 🙄🙄🙄🙄
Preliminary tests indicate that if you change the root password, this no longer works. Thanks @curi0usJack for testing!
worked for me
Set a password for the root user: sudo passwd root
I've had this as standard practice on all of my Mac's for a while now, guess it saved me.
It's called good security. Do you lock your doors because you have something to hide? Or maybe just that you want to ensure people have permission to enter? It's just common sense/best practice to be secure.
I did too. I didn't like the idea that it was on there "disabled" with some default password... I changed it immediately when setting it up. Turns out that was a good idea!
This is not the way to report security issues.
Shit like this is why I wait for a point release to upgrade after a major OS release. Apple’s MacOS QA is *abysmal*.
I would really suggest deleting this and contacting Apple's bug bounty program ASAP.
The Internets never forget ...
too late
Be sure to disable the root account you’ve just enabled to prevent your computer from being compromised while Apple fixes this
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Thanks for pointing it out to the entire world.
Rootless is so secure
Reimburse what? macOS is free software that comes bundled with overpriced PC hardware.
Oh you sweet summer child. Come back after you've read your EULA, dear.
Thanks! Not. #howtoactwrong
We tried this and successfully reproduced the defect, but I think it's mitigated by explicitly setting a password for root by `sudo su -` and `passwd` from the shell.
(No comment)
yes, @lemiorhan put them at risk. Not Apple for actually creating the issue. Now people are aware and can actually do something about it. Read the thread. If you set a password for root, the system is safe.
Yes! geezuz
Because Apple took everything good about FreeBSD and threw it in the bin. (that didn't take long)
Actually my fiance works for Apple in Ireland. Making it public is the worse thing you can do. Reporting it via the proper channels is how to do it. Now that this is publicly known, helps the hackers more than the users. Very irresponsible post.
For every tweet that mentions this, you can be sure there's thousands of attackers that never will.
I think that's on Apple for shipping a fucking Linux OS without a password for root. If this guy knows it, who else has, and has been actively exploiting it? Perhaps now it'll be patched faster.
I suspect this is because the root password is empty by default. A workaround would be to set it by opening Terminal and doing `sudo passwd`. And yes, this is an absolutely terrible bug regardless of this workaround.
yes-ish: The root account has no password by default, but it is disabled in directory services by default so you shouldn't be able to log in to it anyway.
Nice. I like how you just... tweeted it out.
Whoa! Houston, we have a problem.
This is actually a bit scary. I guess the cat is out of the bag now, but I still recommend deleting tweet. Biggest Mac vulnerability I have ever seen
Unable to recreate this on 2 macs and 2 different virtual machines for testing software.
Why the hell would you publish this on Twitter, instead of notifying Apple privately?
for internet points, obvs
Are you sure he didn't?
Doesn't matter. He shouldn't put this out publicly until a fix is deployed. That's common developer courtesy. He just did this for cheap internet points.
“we’ve decided to outsource our QA team...to twitter”
Mitigation seems to be to disable "Name and password" logins and fast user switching. This way at least the screensaver is protected. Filevault seems secure too this way.
How was this discovered?
This also gives you unfettered access to the System keychain, which contains Wi-Fi passwords and BTMM encryption keys
It'll unlock the keychain on the first try, too
Maybe report to the company first before disclosing on Twitter and exposing many people to a 0 day exploit.
Ugh. @apollozac - have you seen this?
yep, unfortunate, setting a root user password is a workaround, we’re posting a guide shortly
Now #apple needs to come up with excuses & tales which
-media agrees to parrot
-Nontechnical folks believe
-Fanbois paste for Apple webwide
On the upside, setting a root password with the Directory Utility is fairly easy, because you can exploit the bug to unlock the utility in the first place.
When in Rome, I suppose.
Yo dawg I heard you like business in your business.
I just disabled root login.
I think you "just made yourself vulnerable". The root user password is not being compromised. A flaw is CREATING a root user with a blank password. You need to create a root user yourself to prevent this.
You condition is thought to be what enables the exploit. A flaw in the Security (or UI) stack creates a root user with no password. Creating a root user and setting a password prevents this.
The solution is to not use a mac to begin with.
I ‘m wondering about the pay back of money spent on hard drives replacement !! Such as mine ??
This happens when profit mongers start messing with the code in the perfection of Linux !!
Darwin is based off BSD, not GNU Linux, please!
All stable OS's are Unix based ! ~ is my point, until some monger starts playing with it, then we end up with shit like windows !
Trying the “Change Root Password” in Directory Utility isn’t working here. We had to
sudo passwd root
On the terminal. That was the only way to get it to work
Great quick response, but incomplete. You need to explain why a root user with a password should be created (& confirm that having no root user is a vulnerability). & explain why Guest User should be disabled.
I see you updated the "Guest User" and "Name and password" login window info. Also, replace steps 1-5 of Changing root password to "Use spotlight to search for 'Directory Utility'". Good work!
What if the Root user is NOT enabled?
does the user have to be unlocked?
Oh come on. I tried on 10.13.1 without setting any root password. It doesn't work. Maybe your forgot to update from 10.13.0?
Jobs is rolling in his grave.
My first reaction: how can you have a mac and not change the root pwd the first minute? I tend to forget that most “normal” people haven’t the faintest idea that OSX is Unix, or what that means. Hiding the complexity has a cost.
This is what bug bounty programs are for - why are you posting this publically so other computers are now at risk?
may not be, but now the entire Twitterverse is. Great job, A+. 🙄
(No comment)
Confirmed. Worked as well.
..."It just borks..."
Trying this out while logged in enabled my root account. Yikes - that makes this issue a billion times worse. Make sure you disable your root account. Follow these steps: support.apple.com/en-us/HT204012 (but disable instead of enable)
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
you might want to see this
This is according to some people on HN exploitable remotely through the "screen sharing. app"
It actually works!
Doesn't work in my laptop
What version of High Sierra are you on? I'm on a beta build and this doesn't work for me
Change root password with this guide to mitigate
How to Change the Root User Account Password in Mac OS X
Some advanced Mac users require having the root user enabled in Mac OS X for administrative or troubleshooting purposes. While many will keep the root user account password the same as their genera…
osxdaily.com
It works for me! HS 10.13.1 on Rmbp mid 2014
(No comment)
How about that lock screen though? ¯\_(ツ)_/¯
OSX 10.12 === Sierra, this is for High Sierra (10.13.x) only
/usr/bin/osascript -e 'do shell script "whoami" with administrator privileges'
Pretty sure @Apple announced the OneClick BlankRoot feature during their macOS High Sierra reveal.
Here is the clip from the WWDC 2017 Keynote: 🤣
Anyone using Apple products deserves to be hacked!
Oh fuck. Log in as "guest" > system prefs > users > root...
In-Thread Reminder: Turn off Apple Remote Desktop / Screen Sharing on affected systems. This is exploitable remotely if that is enabled.
SSH ("Remote Login") does not appear to be affected as best I can tell.
Changing root Password would be the better advice in case someone needs Remote Desktop?
I suppose it really depends on the situation.
This also works, yes. On a Real Unix my advice would be to set the password hash to "*LK*" or similar to lock the acount.
Disabling the account DOESN'T work (the bug seems to be that it ships disabled but gets enabled by the system without asking, and has no password by default).
Shamelessly stealing!
Hey, I agree with you. Just the messenger!
I'm on High Sierra 10.13.2 beta and can't reproduce this.
Did you change your root password to something other than the default already? I did and it didn't work for me either.
Nope, turns out I had to try it twice and mash the return key, then it worked for me. So I just reset my root password now as a precaution.
Serious question: why not disclose responsibly through hackerone.com/apple or other channels rather than on twitter?
that both ethically better AND worth some cash
Tbh I am pretty sure the bug is going to be fixed wayyyyyy faster this way ;)
But this type of "discloser" greatly increases the chances that this bug is used in the wild.
especially when it’s so easy. Spike in laptop thefts today I bet 😜
If you saw someone left their keys in their front door, would you let them know by calling the news? Or would you maybe knock on their door so the whole city doesn't find out first?
If you follow the instructions posted here support.apple.com/en-us/HT204012 to change the root password on your system, you can protect yourself from this issue until Apple has a fix.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Confirmed on a 2017 MBP running HS 10.13
I’m so glad you advertised this for the entire world to see. 😱😱😱
#FaceID on steroids! 💥
Mac: Identify yourself.
Guy-in-Ski-Mask: I am root.
M: No you aren't. Identify yourself!
G: I am root.
M: "Well, OK. You haven an honest face."
This is the 2nd time I tried it in the same session, but even the 1st time, it only told me off *once* before allowing the 2nd try...!
Ovvv fenaymış..
I confirm that it is true and thats why I was threaten by Apple constantly to remove #QuitApple tweets
Confirm
What a douche move! Report it to Apple first. Give them a chance.
Thank god it wasn't in Android or @AnttiKurittu would never stop talking about it!
Too late, and it worked :(..
Why didnt you report this to Apple's security team? Why go public first? #Irresponsible
I fully support @Apple suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman".
Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
No, there are ethical disclosure systems. This puts millions of computers at risk. You don't expose zero days like this.
Apple will probably not sue them, but I would be fully supportive of it if they do so.
Apple has a track record of ignoring serious security flaws such as this, for months after private disclosure. I fully support this public disclosure, which informs end users about this serious security flaw. Apple has no basis for filing a suit.
You can publically report a bug if at least one week of no response from apple has passed. You’re not helping anyone with this you’re just allowing script kiddies to hurt millions of people.
Not everyone is an "ethical hacker." Software devs don't owe Apple such courtesies. Perhaps the blame instead belongs on Apple for not performing critical QA and testing?
Bugs happen, it is the nature of programming. The blame is on Apple, but that doesn't excuse this type of disclosure.
This public disclosure is fully excused by the sheer volume of bugs in Apple's software as of late. Perhaps they should do some beta testing before releasing their shit software into the wild.
Apple suing for what? For asking a question? 😂
So law defines ethics?
Nope, but it depends if something bad happens as a result of this.
If so, then Apple would need to hire some turkish lawyers...
Apple can’t sue him for tweeting them about *their* mistake. He hasn’t put anyone at risk, Apple did. They need to fix it, but they also need to test better.
He should have told apple, privately and then give them at least a week to fix it. This is unethical, and in some jurisdictions, based on previous rulings (precedents), illegal.
No, THEY should’ve got it right. He had the right to tell them or not, and via a channel of his choosing. If setting a root password fixes it, this is arguably better - it doesn’t need to wait for a patch, because people can see it and set a password.
I see you're a CTO of a company. If someone found a bug that put the data of your customers at risk, should they tweet about it? How do you think your future customers would feel about you essentially telling people to post security vulnerabilities of your service online?
I’d prefer they reach out to me, obviously. We’d deal with it immediately too. But I’m not a big enough ass to blame THEM for data loss caused by OUR bug in that instance. I would certainly not consider suing someone for damages caused by my own team’s incompetence.
And, if they told my customers so they could take defensive action themselves, that would not seem unreasonable.
Better that someone tweet about it than sell the exploit to nefarious actors on the darkweb
The error comes when you write software that has such a serious bug, not when someone discovers it
apple should be paying the man
Yes they should! Only if he gave them enough time to patch the issue.
they deserve it for their weak bounty program
He doesn't have to do that
He has no responsibility for Apple's security
They have billions they can spend on their own engineers
He's free to announce it on Twitter or put it on a billboard
Don't try to police other people's behaviour
"Hey, the government made a mistake and this is how you easily print paper currency that looks exactly like original. "
This isn’t currency printing, this is “Mac users, set a root password because Apple QA dropped the ball and anyone can log on to your machine as root”
The logic stays. Exploiting other people's errors is sometimes punishable.
There was no logic to refute. He hasn’t exploited anything - he’s publicly warned people how NOT to be exploited.
No he didn't say how not to be exploited. Read his tweet again.
Irrelevant. Nobody needs to follow the norms of “ethical hacking,” especially people who never claimed to be such and who may not work in infosec.
100%. This wasn’t a complex, deeply hidden, hard to exploit thing needing a dedicated exploit kit found by an infosec researcher.
It’s a login button on the lock screen, which you have to press after forgetting to put in a password.
yeah, nobody needs to do anything man
To fix MacOS High Sierra Passwordless Root Account issue, create a password for the "root" account. isc.sans.edu/forums/diary/A…
That is a pathetic take. Everybody in the business knows how this goes. All attackers know it and only a fraction of the possible victims know it.
Also, where did he explain how to not be exploited?
To fix MacOS High Sierra Passwordless Root Account issue, create a password for the "root" account. isc.sans.edu/forums/diary/A…
2 hours after disclosure :)
And your issue is... what? That he failed to follow a set of rules you and others he didn’t sign up to made up, which he may or may not be aware of, and didn’t tweet as fast as you think he should? Wow.
My issues is that he (together with Apple) made whole bunch of machines exploitable.
With disclosure, end users have the ability to secure their machines, instead of believing in a false sense of security. Don’t blame the messenger.
Also the defense that he, as a software developer, does not know a thing about software security, is very limited.
I think people don't understand that we're not saying Apple wasn't responsible in this. We're saying you took an issue and made it 1000x worse.
You’re saying the guy who found the bug and told people about it, deserves to be sued. I think you don’t understand what a douchey position that is. In this country we have freedom of speech.
Freedom of speech != Freedom from consequences...
Seriously is it coming down to this? I thought at least we would understand that.
Actually, it does mean that he cannot he sued for his speech, which in this case, was informing Apple’s users that we had a false sense of security due to Apple’s poor software development.
No, it means the US govt can't sue him for his speech. It does not mean a private company can't do the same.
They can sue, but cannot win.
If Apple sued, the case would be dismissed immediately due to having no basis. Where and when did he agree, in a contract wherein value was exchanged, that he would not disclose their software vulnerabilities?
I am not a lawyer, and will not comment on this.
I’m an accountant, but I feel perfectly free and adequately informed to comment.
That's up to you. I live in the United States and I'm not allowed to give law advice.
Apple's Ivan Krstić at #BlackHat2016 announces the new bug bounty program, with impressive payouts.
No, *apple* made them exploitable - by clicking “login”. This was not a zero day, highly technical vulnerability which only nation states would’ve found otherwise and from which most people were safe via obscurity. It’s *a login button*.
Regarding your forgery example, forgery is a crime. Making Apple uncomfortable is not. Yet...
I think the argument is more so that it was an unethical way of disclosing the bug. He should have contacted Apple, and if the bug doesn't get fixed in a reasonable amount of time, then you disclose it to twist their arm, but this just increases the risk of attacks.
And I’d agree with that if people couldn’t fix it themselves - if you’re waiting for a vendor patch, disclosure is bad. In this case, you can self-fix. But even then, those aren’t *laws*, just infosec community guidelines - he’s not obliged in any way to follow them.
The problem with the self fix is only 5-10% of users are going to be technically inclined enough to apply it unfortunately.
Not everyone signed up for the rules of ethical hacking. Why should a software dev who is unaffiliated with Apple care about protecting Apple’s reputation?
...BY USING CRAYONS. If we’re going with the currency analogy.
That's also not illegal as far as I know. Guides on how to build illegal machineguns aren't.
I am not defending the legality take. My apologies if it looked like that.
I also tweeted later that I wish I sticked with unethical. Sorry about that.
Lol ethics and law are very distinct. You can’t be going suing people for saying “hey look it’s broken”
This may have been wrong, but definitely not illegal.
Law depends on precedents and different jurisdictions, I can't tell for sure where this person lives. It definitely was wrong, and in some cases, illegal.
Software bugs happen. Are you saying you can write bug free software?
By making it public you're allowing script kiddies to potentially attack millions of devices.
By keeping it private, you disempower end users, turning them into sheep who have a false sense of security. Again, I don’t think the guy is claiming to be an infosec professional, thus, your rules re:disclosure don’t apply.
Ethical disclosure is great for those who get early notice. It also allows Apple to prepare a press release saying "only occurs in outdated software" - which will be technically true by that point. It's crap for literally everyone else.
You're an idiot Amir. Apple shipped an OS without a password for root. Don't be so stupid. Your fan boy is showing. If you were a responsible engineer you'd understand what a colossal fuck up this is.
I understand this is a huge error, can you explain why (irrelevant of company) making it public helps those that aren’t tech savvy as opposed to script kiddies? Genuine question
Because if he knows, others likely know who are actively exploiting. You can mitigate immediately via Terminal:
> sudo passwd root
Set a password you remember, and this epic Apple failure is FIXED. Meanwhile Apple has an update lifecycle where you may be exploited in meantime.
Exposing it allows a non-tech-savvy person to be aware their information is not secure, while incentivizing Apple to act quickly. In this case, the end user is also informed as to how to maintain security until Apple releases an official fix.
Thank you. Anyone can immediately:
> sudo passwd root
And your OS X install is secure. Otherwise await Apple PR to polish up the biggest turd of a mess I've heard and an update. This is a Linux derivative that was shipped w/o a password for ROOT! This is NOT okay.
That's not a solution for the millions of end users out there.
He didn't design the OS, or forgot to set a root password. That's on Apple for the masses. If an Infosec guy knows this, this crucial immediate fix is for high security environment macs who can't wait a week for a fix buried within an update.
I agree it’s great for a minority of confident users but the majority are going to be sitting ducks.
I see the logic and understand the point. I’m not sure in practice it’ll work this way as people need terminal confidence to fix, the majority of users won’t be in this space. I hope you’re right on the incentive side
Put it this way, you can decrypt HDDs, and do pretty much anything with the root password. If a casual security researcher knows, time is of the freaking essence. Not everyone uses Macs as a casual user, these are in high security environments. They shipped a Linux OS w/o root PW
Sure! Glad you asked.
I'm not sure at the extent of this, this can potentially be used by programs running as root to remotely execute code.
I completely agree making these public is good! But this should happen at least after a week has passed over reporting the issue to Apple
Sorry for the angry reply, but that takes an update cycle, followed by Apple's PR to polish up how a Linux OS derivative was shipped w/o a root password. A page is already up informing users to set a password with one Terminal command. End-users are entitled to an immediate fix.
I never said this isn't a fuck up.
I'm not a fanboy of any company either, I use devices from essentially every major company out there.
This disaster was made much worse by providing the details about it without Apple providing a fix for it yet.
Couldn’t agree more, seriously irresponsible putting this out like this.
Apple thanks you from the bottom of their money pit. Sigh.
please leave the internet
Exactly.
hah get bent, then try to understand a tiny modicum of law.
Seriously, this is dangerously irresponsible. Somebody tell me this isn't the very first disclosure of the bug to Apple.
you're autistic. literally, you're one software dev that needs to kys.
Which just shows how stupid you are. Apples bug bounty program is not open to the public, its invite only.
Then isn't contributing to this discussion also partially responsible for publicizing the issue? It makes it trend on twitter, so since we're casting blame here...
It's like suing man who was shouting fire instead of notifying cinema owner and patiently waiting for outcome.
there's a big difference between yelling "FIRE!" (being a good samaritan unto others) and irresponsibly disclosing a security bug.
Oh get off your high horse Amir.
A sheep riding a high horse is quite impressive tbh.
That's fair
Amir is a sheep
I would like to clarify my point here. I should've just stuck to the fact that this is "unethical". Apologies about that point.
👍 security through obscurity.
Under what legal theory would they be suing him?
Try understanding 'full disclosure', then read any papers by @0xcharlie then try commenting on a subject of which you have more than a vague notion.
Oh please. Do you know how long bugs sit in Bug reporter without seeing any attention? I still have a bug from 2013 sitting there. Apple doesn't care.
You are one savage S.O.B
I must be "doing it wrong".
Can't reproduce it as described.
So this requires physical access to the machine... so not exactly a big deal unless you're hiding stuff from someone.
Not true. I just browsed other Macs on my local network and established screen sharing with root/no password.
Holy sh*t it works..... wtf
Something does not work for sure but logging in with root works:-(
El Capitan good
For now logging in as root (or doing sudo su) and changing the root password locks me out of just logging in as root though.
(Temporary) solution
it appears that if root isnt enabled, whatever you enter in the password field will enable root with that as the password. Tried multiple times, works like a charm.
It works with Keychain as well to show passwords. I wonder how long it will take for Apple to release an update.
my guess is 24hr. Maybe 48.
Special feature to please Richard Stallman?
haha it works
tested on a couple machines here
Enabling and then changing the root accounts password appears to be a good short-term fix.
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
omfg, wtf @AppleSupport i just tried this and it unlocked my preference.
And you disclosed on twitter vs privately to Apple because....?
I'm a GNU/Linux user, so I obviously find Apples vulns hilarious and everything, but, uhhh... Responsible disclosure?
The man @lemiorhan gets his two minutes of fame at the expense of others. Nice one.
Stumbles upon dangerous radioactive basketball....starts pickup game with entire prison yard
Why would you disclose it like this? Software developer should know better.
People saying "at least it's not remote"... yeah it is. I was able to just connect to a co-workers machine as root and it did not prompt them for permission or anything.
oh god...🤦♂️
Via ssh?
No, OSX screenshare. SSH did not work for me.
It sucks big time. Thanks bro.
Why in heaven’s name are you disclosing this on Twitter????????????????????????
... even better than „goto fail“ - sigh 😔
Great find but why tweet it? 🤨
Contact Apple
Works from any system keychain authentication too, not just in users and groups.
veja essa falha grotesca de segurança do High Sierra
Post saindo em instantes.
Uuuuh what fancy name are we going to give this? Rootcanal? BiPASS? RottenApple? The Rootening? So many bad puns!
It just works.
This doesn't seem to affect macOS Sierra 10.12.6 (16G29) nor High Sierra 10.13 (17A291m). They just stay at the login box.
thats the proof of concept build according to DOJ specifications
Can confirm on 10.13.1 - can authenticate in System prefs, can log in as root from lock screen if fast user switching is on. Changing root password via terminal prevents it.
Worked for me after using enter key instead of mouse clicks to get the root user to stick
Fix is to disable root. It’s supposed to be disabled by default in macOS. Looks like they screwed that up in High Sierra. See
How to enable the root user on your Mac
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
support.apple.com
Mac OS X High Sierra is
hahahahahhahahah
This is bad...you can prevent this by changing the root password open terminal -> type passwd press enter and enter a new password then conform it. If you can't find terminal, search for it using spotlight.
PGP-encrypt (support.apple.com/en-us/HT201214) bugs like these to product-security@apple.com
Protecting Security Information
.
support.apple.com
A temporary fix found/suggested by @DanFrakes - do the following and add a password to the root account
If you use Directory Utility to then *disable* the account, can you use the same trick again, or is it blocked?
Enable the root user in macOS Sierra | Coolest Guides on the Planet
Here is how you enable the root user in macOS Sierra which is disabled by default. As an admin user launch System Preferences from the Apple Menu and go to
coolestguidesontheplanet.com
It works, I did it on my Mac
Yeah and please fix the calculator as well !
I'm on 10.13.1 and was not experiencing this result by clicking several times. I did, however, notice that by changing the focus from the User Name to the Password field (while still remaining blank) and just clicking the Unlock button *once*... I was able to get in. 😬
I disabled root login.
This it’s reckless before even try to contact Apple directly ! PRÍVATE
(No comment)
this is.... not good....
oh my god
Holy fuck this is legit 🔥🔥🔥🔥
Just tried it. Worked on second try! Not good
Fix for the #apple root bug:
1) open Directory Utility app (via Spotlight or other)
2) Click lock to make changes, log in with admin account
2) Click Edit -> Enable Root User
3) Click Edit -> Change Root Password…
4) Set a password
5) Do NOT disable root user!
2) Type in „root“ as username, click „Modify Configuration“ a few times
Yeah that's the more "radical" approach :)
Don't know if this has other unwanted side effects though, which is why I left it out.
I just couldn’t resist, sry 😂
You can also do it over the command line and it works.
sudo passwd root
Yes. This was meant for the average noob :P
But I'm also not sure in what "enabled" or "disabled" state this leaves the root user and if it works in either previous case.
holy shit. it works!
This is pretty bad! Especially because even if you “Disable Root User” through Directory Utility the process explained by @lemiorhan re-enables root access. @AppleSupport @Apple @savtwo These guys are going to love this: @siracusa @caseyliss @gruber
Do not disable, just change (set) password
glad i’m still on sierra where i can’t reproduce this
(No comment)
Were likes and retweets that important to not contact Apple privately and wait for the vulnerability to be patched before publishing the exact steps?
As a software developer you should know better than to do this publicly. I think you just opened yourself up for irresponsible disclosures at your company.
ummmm holy shit
Hi Lemi - reporter for BuzzFeed News here. Could we chat about this issue? davey.alba@buzzfeed.com
Oh nonononono nonono nooooooooo
Is nobody reviewing their code?
really fucked up vuln and really fucked up way to disclose it
For everyone: ubuntu.com/download/deskt…
Holy shit, this is bad!
Confirmed... Sigh. Poor QA practices affect all software companies, no matter how large they are or how much large their market cap.
Similar bug on Apple iPhone devices (#iCloud removing) - entering wrong passcode several times it can bypass iCloud screen and allow customer to activate device. Easy iCloud unlock.
APPLE BTFO
Kinda tmp fix:
Login screen click `Other...`, login with root (empty pwd) and change password in system preferences..
I just hope it didn't break something else..
Seems to be fixed in 10.13.1
There is a reason we have product-security@apple.com
it also works from non admin accounts from the same machine
Oh my. This was confirmed on two machines here too. Thankfully, we don't use High Sierra in production anywhere yet.
CIA is but didn't tell anybody.
Talking about safety, this may not have been the smartest way to disclose this. A private message to Apple would have sufficed.. But all the credits to you..
Check Directory Utility. Root user is enabled (and by default has empty password). I didn't enable root previously but it was on. Disabled root user and now the repro doesn't work.
Wow, I was also able to replicate this. This is not good...
(No comment)
works in 10.13.2 Beta as well.
way to do responsible disclosure?
Coucou @lypiut & @sebastienmichoy
C’est moi qui ai retweet ! Mais clairement un OS en mousse 🙄
Je l’avais vu RT avant par quelqu’un d’autre c’est pour ça que j’ai pas vu le tient! On va voir comment ils gèrent la com ^^ Vous arrivez à reproduire le bug?
This is how huge security issues should be handled. WITH PIZZAZZ.
Setting a password for the root user or deactivating the root user is a possible solution.
How to Change the Root User Account Password in Mac OS X
Some advanced Mac users require having the root user enabled in Mac OS X for administrative or troubleshooting purposes. While many will keep the root user account password the same as their genera…
osxdaily.com
Deactivating doesn’t work. It will be activated again :)
Does it also work for unlocking FileVault at boot time?
so funny, nice one @lemiorhan
This actually works from the login screen too. "Setting up your mac" and voilà, you're logged in as root.
You're holding it wrong!
Worked for me, too. This is unbelievable.
Here’s a quick fix: xs-labs.com/en/blog/2017/1…
Or ‘sudo passwd root’ in terminal.
It has been years for such a security issue... Si Apple..
Works for me on the first time on the 'switch user' / login screen too. Absolutely horrifying, how does something like this get missed.
Not good!
For those outraged he disclosed this on Twitter, if someone found a vulnerability on a Toyota that caused it to burst into flames by pushing the brake a certain way, wouldn't you want to make sure as many people as possible knew about it so they STOP using the vehicle?
hooo leeee shit
Don't reproduce this on your Computer unless you know what you are doing!!!
Well ... if you do you'll have generated a root w no pw that is shell accessible.
And that user hasn't been there before. So trying the trick does change your OS in a way.
Probably a good idea to disable root from the Directory Utility or Change Root Password... Looks like the Root account was left enabled with no password on High Sierra by default.
Root account comes disabled by default. The problem is this procedure enables without user consent. The only true workaround is to leave root account enabled and change its password.
If you disable root, it will be enabled again if you type root in login.
Wow. Just. Wow.
Support is almost useless for BRs —Apple evidently has a real security team somewhere. *GROAN*
It's too bad this wasn't reported via the offical security channel, unless it was and ignored
How did you figure this out?
This is hugely irresponsible, @lemiorhan.
Is this part of @TwitterMoments yet?
this is a huge fuck up are you going to admit it or what?
Ahahahahaha
C’mon @Apple, you know you can do better!!
it worked at first attempt... oh dear good @Apple =(
Haah! better focus on Security first instead of Emojis!
It's @Apple ; you're just not using root permissions correctly. :-)
Holy cow, worked on first try.
Same here! Verified with my MBP 15” mid-2017
Tested with @bluelogon and @F52C877B This is... beautiful :D
In fact it's required to use the hack of System Preferences before use the login screen !
I am on a subway platform w/no Mac in site. Does this legacy shit work? developer.apple.com/legacy/library…
% dsenableroot -d
username = [your username]
user password:
dsenableroot:: ***Successfully disabled root user.
Nope; root is disabled by default, this enables it and sets a blank password. Verified on my machine. Best mitigation RN is enable root and set a password.
Never met a matt I didn't like. Thanks. - matt
you’re welcome! loved your talk at strange loop btw, been eyeing some of those grants/opportunities.
hi Reddit
Literally thought this was some sort of joke until I tried it myself. This is not so much a "security hole" as "a complete absence of any sort of security".
literally
Set a root password (I think you can do it from Directory Utility). Any password. That will fix the problem.
Might sending an email be slightly more responsible than tweeting?
Was able to replicate in terminal with three tries.
Ahahaaaa @TEAkolik 😄😄😄
Ya hiç sorma dangalak bu Apple ya :)
Just tried this! Good lord! It works :O
Mira esto @Pb__lo que tul
[TempFIX] - change the root account's password. Please share it with world asap
It even works from the login screen. Just change Display login window as: Name and password, logout of your current user and type in root, hit enter and you're in the system!
osascript -e "do shell script\"mkdir /THISIZSERIOUS\" with administrator privileges"
Fill in root and hit ENTER. #nosecurity #notesting?
Here’s a solution: don’t update to high sierra
(No comment)
Is it authenticating the password for an [unprotected] SSH key? Had that happen in Linux.
Congrats with your 5 minutes of fame. Next time please try the responsible disclosure procedure. Thank you.
You might want to check this... it's erm... embarrassing!
Glad I havent updated yet!
You - at least by now - know that there is a more responsible and constructive way to deal with such findings properly, don't you?
just checked, damn, it works, logged in with root username
for all the smugness of apple over security, this is schoolboy af.
works for me too. macbook 12 2016. macos high sierra 10.13.1.
NO WAY.
OMG! Shit!
Confirmed on High Sierra 10.13.1 and 10.13.2. Can't believe this is actually happening.
Yep, it works for us.