A serious security bug in High Sierra allows anyone to log into macOS as root user.
Apple seems to be focussing on Face ID of iPhone X so much that it almost forgot about passwords. Almost.
Back in October, when High Sierra was released, there were two password related security bugs. One bug allowed local attacker to gain access to encrypted APF drive, the second bug allowed theft of passwords via a malicious app.
Apple responded quickly and fixed those bugs.
Now a new security flaw has been discovered that gives root access to local and remote user. It’s a simple bug. If you have not enabled root user for your system, anyone will access to the machine can login as “root” with empty password after clicking on login button several times.
The bug was discovered by Lemi Orhan Ergin who Tweeted:
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Initially it was thought to be a local exploit. Later, Will Dormann found that if screen sharing is enabled anyone with access to the machine via sharing can gain root access to the system:
The Apple High Sierra root issue is bad. If you have exposed "Screen Sharing", you can allow people into your machine with full GUI access, using no password. Setting the root password appears to prevent this from happening.https://t.co/21FXeu13oA pic.twitter.com/ms2kkbFLZi
— Will Dormann (@wdormann) November 28, 2017
Is it really that bad and stupid as some people claim it to be? It depends. If you share your Mac with others via screen sharing you do run the risk of them gaining root access to your system. Some times tech support people request screen sharing to troubleshoot problems. Beware if you use GeekSqaud services. So, yes that’s bad.
I don’t see any serious problem with local access to the machine because mostly the systems are behind lock screen and you can’t access System Preferences without logging into the system with user password.
Apple has confirmed the bug is affecting only High Sierra. Is it a stupid issue? Well not as stupid as the Linux bug that was discovered in 2015. A bug in Linux allowed anyone to bypass authentication and log into a system from lock screen by hitting the backspace 28 times.
That. was. stupid.
These are bugs. Bugs are part of software development process. No matter how meticulous you are there will be bugs. There is nothing you can do to stop them. All you can do is fix them as soon as you find them.
Apple is usually good with security stuff. The root user is disabled by default. The first user on macOS has administrative rights that allows that user to make system wide changes and install applications. That user doesn’t have root access to make changes at operating system level. However, an administrator can enable root access and then perform tasks as root user. Apple doesn’t recommend logging in as a root user and instead recommends performing such tasks as sudo from terminal. That’s the same advice you would hear from a seasoned Linux user.
If you are a macOS user and you want to protect your machine, the safest solution right now is to actually enable root access and set a password for it.
Can we trust computers?
This bug however raises a serious question: despite Apple’s claims the root user is not disabled by default.
My fellow journalist Mike Elgan recently wrote a thought provoking article ‘Why can’t we trust smartphones anymore’. In that article Elgan talked about holes major tech companies like Google and Apple left in their smartphones that may compromise those devices:
“Google, Apple and OnePlus have recently been caught sneaking intentional vulnerabilities into phones in ways no user would ever suspect. Phones running software installed by those three companies do potentially insecure things even when users take actions to prevent those very things from happening.”
Does this bug fall into the same category? Was Apple caught sneaking intentional vulnerabilities in High Sierra?
That’s a tinfoil hat argument and I doubt Apple will intentionally do that. But then you would also expect Apple to actually turn off the wireless and bluetooth chips, when you do so from system settings.
Sadly, in the age of lying presidents and fake news, it’s becoming hard what to trust and what not to trust.
Who do you trust?