
macOS lock screen: “I just sent my session pass to my whole team” - fofolo
https://twitter.com/BenoitLetondor/status/939127296266588160
======
tachion
Oh, wow - I've reported this problem along with na example exploit to Apple
about 6-7 years ago. Never got any recognition for it, but It was fixed some
time after that. It's quite sad to see old bugs getting new lives like that.

For those interested, the sample exploitation that I've discovered was
connecting any iPod/iPhone device to a OSX laptop while screen was locked was
taking the focus away from login prompt 'into' the system, where iTunes was
gaining it and from there it was just few OS level keyboard shortcuts from
gaining network access to the system, while still locked: launch finder, go to
tools folder, launch terminal, launch `nc` in the terminal to get the access
via network. Lots of blind typing but it worked more times than not.

~~~
yeukhon
> Oh, wow - I've reported this problem along with na example exploit to Apple
> about 6-7 years ago

Any proofs? Perhaps you can demand a bounty payout or sue them ignoring!

~~~
eridius
You can't demand a bug bounty payout, especially because Apple didn't have a
bug bounty back then (and their bug bounty today is invite-only).

Also, if you read the rest of the comment, Apple _didn 't_ ignore it. They
fixed it.

~~~
yeukhon
I did read the rest of the comment. So I am asking if someone is either making
this up or if not it's important to shame Apple for its secrecy. That's my
view on responsible disclosure; either ack someone's hard work or let every
bug free in the wild. What's the point when your work isn't being acked?

~~~
eridius
> _What 's the point when your work isn't being acked?_

To get the bugs fixed?

Also, we don't know why they didn't get recognition. The simplest answer is
someone else may have reported it first. But it doesn't really matter. And I
really don't see how "secrecy" comes into play here.

------
gonational
With no disrespect to the developers at Apple, et al, each one of these
problems that goes viral before reaching “proper” channels is a well-deserved
slap in the face of these behemoth organizations.

Perhaps, if the entire tech community regards Apple as a joke, they will start
paying attention.

“Responsible disclosure” is great stuff for creating a culture of free
outsourcing of tech companies’ most imporant feature (security) to the same
people that paid those companies thousands of dollars for that privilege.

~~~
daveFNbuck
Responsible disclosure is about preventing the bug from being exploited before
it can be fixed. Knowing about this bug doesn't help me compromise someone
else, but it does help me avoid getting compromised.

~~~
CodeWriter23
So, security through obscurity. No thanks. I'd rather know about the exploit
ASAP so I can implement a workaround, rather than wait months for the vendor
to get off their ass while my systems are getting hacked by the hundreds if
not thousands of hackers that have 0-day knowledge.

Calling what you describe as "Responsible" is intellectually dishonest.

~~~
will_hughes
Perhaps you can write a patch or mitigate effects of (say) an OpenSSL bug. I
can't. Certainly not for the myriad of devices that embed well known libraries
in firmware images that I don't get to modify myself.

I'd much rather that those things which are remotely exploitable across
millions of devices to be kept quite for a small period of time (30-90 days
depending on the complexity of the fix required) so that I can get patches
from our vendors and schedule an update at the first available opportunity.

You might call it security through obscurity, I call it keeping shit from
burning down.

~~~
CodeWriter23
There are numerous potential workarounds besides authoring a patch. And they
can be distributed in a user-accessible fashion, like the workaround for the
macOS blank root password was.

Not telling the world about it does not keep shit from burning down.
Eliminating vulnerable targets is the only thing that does that. And that is
more expediently served by full and prompt disclosure.

------
malchow
Not to pile on, but my MBP (with "TouchBar" which will assuredly not exist in
another year) is always in clamshell mode and connected to two external LG 4K
displays. Whether, on which screen(s), or in what state the Mac wakes each
morning is completely random. Sometimes it doesn't wake at all. Sometimes I
have artifacts on one screen and a desktop on another screen. The sleep/wake
sequence is a complete mess, and it doesn't surprise me that the focus might
sometimes be on apps running in the user session behind the lock screen.

~~~
dawnerd
Same problems as you, but I disagree on the touchbar. It’s one of the better
things Apple has added recently.

But holy hell do they need to work on their external monitor support.
Yesterday I had one of my monitors randomly go black for a second. I’ve had
audio over usbc just not show up anymore and it refusing to see my gigabit
ethernet when waking up unless I unplug the actual ethernet cable. Simply
amazing this passed their QA - and Id find it hard to believe no one at Apple
uses clamshell mode with two monitors.

~~~
DoodleBuggy
> but I disagree on the touchbar. It’s one of the better things Apple has
> added recently.

Strongly disagree, and I can not conceive of how it could be viewed as
"better" than hardware keys. Maybe if they moved it above the FN row and we
regained the hardware escape key, while making it a build to order option.
Even then, I personally would have no interest in it, and neither would anyone
else I know. I do not want to look at my hands while I type, ever.

~~~
eridius
> _Strongly disagree, and I can not conceive of how it could be viewed as
> "better" than hardware keys._

I hope this is hyperbole, because it shouldn't be hard to understand. The
TouchBar is absolutely an improvement. I can't remember the last time I
actually used a laptop keyboard's F-keys for anything, but the TouchBar makes
that space useful.

~~~
vthriller
> I can't remember the last time I actually used a laptop keyboard's F-keys
> for anything

Not even F5 in a web browser?

~~~
eridius
That's Windows. F5 doesn't do anything in Mac browsers.

~~~
Grimm665
What? Fn+F5 works fine in chrome.

~~~
eridius
Funny, I actually tested Chrome before commenting just to make sure it wasn't
doing something weird, and F5 definitely doesn't reload Chrome on my computer.

------
y3sh
FWIW this is a known security bug at Apple. I filed a bug about similar
behavior where you can see the desktop briefly without logging in. Apple
marked it as a duplicate.
[https://imgur.com/YxXtU2y](https://imgur.com/YxXtU2y)

Here are the steps to reproduce:

\- Start Mac

\- Login

\- Turn on Screen Lock: System Preferences > Security > General > Check
"Require Password" and Select 5 Seconds.

\- Turn on Hot Corner Sleep Display: System Preferences > Mission Control >
Hot Corners > Select upper left > Put Display to Sleep > Ok

\- Attach external monitor

\- Activate hot corner by dragging mouse to upper left corner of screen

\- Wait 6 seconds

\- Click the mouse to trigger waking the screen

\- See brief flash of the desktop without logging in!

~~~
Lxr
The desktop flash happens regularly to me when simply attaching an external
monitor to my closed locked machine.

------
abakker
So, Apple has the most available cash resource of any company out there (or at
least close to). Yet, bugs galore, and strange product decisions. The obvious
conclusion is that their management is failing to staff accordingly to the
work that needs to be done. This could be because they are not aware that work
needs to be done, which means engineers are not telling them, or that the
management is not succeeding in hiring enough people to do the jobs.

My gut instinct says that a some former people at Apple used to do a lot of
undocumented QA work and sanity checks, and that as the company has grown and
changed, nobody picked up the slack when they left. Now, they'll have to go
through a formal process of re-identifying QA steps that need to exist, and
hiring against them. It's been a hell of a month for them, though.

~~~
joeblau
I'm guessing that it's going to be pretty difficult to hire an engineer who
is:

\- Very good

\- Wants to live near Palo Alto

\- Is able to live in the US

\- Wants to be subjected to Apple's privacy rules

\- Wants to work on fixing bugs instead of making new features

In the software engineering game, money only goes so far.

~~~
gurkendoktor
If I could work from a European Apple office, this would be 100% my dream job.
When you implement new features, you are slave to your marketing department -
I'd hate to waste my time on pointless gimmicks like the macOS Siri UI, for
example. Maintenance work is much more satisfying because you're directly
serving your users (usually skewing towards power users too!).

Also, I don't think the privacy restrictions would be so bad. Apple's UIKit
engineers occasionally chit-chat with indie devs on Twitter.

The problem is that this job would be absolutely futile. If Apple hired 100
great engineers to fix bugs, management would simply double the amount of
features that go into each yearly release.

~~~
abakker
For a company that loves minimalism so much, you've hit it right on the money
WRT management.

The TouchBar, while interesting, is the perfect example of this. I'd love to
have had it along with the physical buttons - there's plenty of room. Alone,
though, it is pretty weird.

I assume that the real problem is that Apple's managers do email and web
browsing, and that's it. They probably don't spend enough time in pro apps or
trying to be productive to understand that a window manager built in, or
physical keys or an improvement to their native text editor would be helpful.

------
pilif
I did something similar too - I was typing in the password while the Mac was
being unlocked by the watch using that unlock-with-the-watch feature.

I was used to hammering return a few times to wake the machine up, then typing
in the password, then hitting return again.

The few times I hammered return woke the machine, the watch unlocked the mac
and the password plus the return key went into the app that had focus which
for me also was Slack.

Is it possible that this user had the same thing happen to them? When I
disable the watch unlocking, I can't make the password go anywhere but into
the login screen (10.13.1 here with last weeks security update applied)

~~~
geerlingguy
Because of the short delay between waking the Mac and the display lighting up,
I always either use spacebar or command key, or click the trackpad/mouse a
couple times to wake.

Return is a dangerous key!

~~~
jmull
I hit the shift key

~~~
j_s
I used to hit the Shift key to manually triple-verify keeping my laptop
'alive' during long videos/presentations but have since switched to the Ctrl
key. Thanks Sticky keys!

------
djsumdog
I worked at an open source shop where almost everyone ran Linux and used IRC
for chat. For a while I made the mistake of having the screen black time lower
than the screensaver timeout, so I'd unlock my screen and see my password go
out in IRC. I ended up changing my password to something that looked like a
shell command.

~~~
dwyerm
I worked in a mixed shop, and when my Linux box showed the BSOD screensaver,
my Windows-aligned co-worker helpfully rebooted my machine for me.

------
nerpderp83
These lock screen issues go back further than 10.13, I believe it was 10.10 or
10.11 my child was able to bypass the lock screen by mashing on the keyboard
while the screensaver was fading out the login dialog.

I witnessed it. I was not able to reproduce it in 10-15 minutes of testing.
She did NOT type in the password. Just banging on the keyboard, playing with
the screensaver.

~~~
drunken-serval
I have a computer on 10.10. Has this issue.

------
jerf
Lock screens are harder than they first appear:
www.jwz.org/xscreensaver/toolkits.html (Which, you'll note, mentions this
exact failure case in the "Transfer Grabs?" section.) There's some X-specific
stuff in there, but there's a lot of general issues in there, and with just a
bit of imagination most or all of the X-specific issues can be seen as general
issues as well.

~~~
dwyerm
Fair warning: Jamie doesn't appreciate the discourse this crowd brings to his
site. Visit this URL without a referrer for the best results.

~~~
BoorishBears
No idea why you wouldn't just make it clear the site will open an
inappropriate image when linked from HN

DON'T OPEN THAT LINK

~~~
j_s
Yes hopefully the commenter will edit in time to remove the [http://](http://)
prefix so that it is not clickable.

[https://news.ycombinator.com/item?id=11135200](https://news.ycombinator.com/item?id=11135200)

>sirsar: _JWZ used to detect the hacker news referrer and redirect all links
that originated on hacker news to goatse. Now it 's only slightly less
graphic_

~~~
jerf
Sorry. Pity. It's actually crammed full of good stuff, which is why I linked
it. It's a classic easy-looking problem that gets really hard when you get
down in the weeds.

~~~
j_s
Not that it's somehow my place to say it, but I appreciate the spirit of your
apology; you too are among the victims who deserve no blame.

------
Dotnaught
Left Slack open with focus, allowed MBP to sleep, woke with space bar, login
field had focus, tried with closing lid and opening while Slack was open and
focused, again password field functioned as it should, unable to reproduce,
macOS 10.13.2

~~~
fofolo
Difficult to reproduce, can be when we lock the session, close the macbook,
plug a second screen and re-open. Or in another order. Personally I remember
not having the focus on the password input by opening my MacBook onetime, I
often plug and unplug screens

~~~
lostlogin
I was in a huge lecture hall and the presentation from the head of school was
going to talk. He plugged in, turned to look at the display from the projector
and it hadn’t come up yet. He types in his username and password and stood
there waiting. When the projector came to life he had typed it all into the
username field. He fixed it up then displayed his desktop to us with all the
pending final exam papers sitting there. No one in the hall showed any obvious
sign of realising what had just occurred.

------
cjensen
I have slow Macs that I share with family.

I've seen similar behavior when switching users. The full-screen password
entry login comes up, but focus is still on regular apps.

------
j_s
I often wonder how many authentication log files contain passwords because
people in a hurry append it to the username on accident (not visually
confirming the Tab/Enter/switch to the password entry).

This is also vaguely similar to the 'test SSL submit' security technique of
first entering enough data into login forms to process a submission, and then
entering real login info into the 'login failed' retry page after verifying
SSL. This has lost some of its luster as non-SSL form submission has fallen
out of wide usage.

~~~
teekert
Yeah, pretty sure mine is in clear text in some ssh auth.logs. Yeah yeah, I
should use encryted keybased login (I try to mostly do it.)

~~~
j_s
I typically require both when others are involved since proper key security
can't be enforced (hardware 2FA is the dream).

AuthenticationMethods requiring both wasn't availabe in OpenSSH prior to v6.2
(May 2013)[1] and I'm on Windows anyway so I went with
[https://www.bitvise.com/ssh-server](https://www.bitvise.com/ssh-server).

[https://serverfault.com/a/562899](https://serverfault.com/a/562899)

------
05
Say what you want about Windows, but no amount of sneakery can steal input
focus from Winlogon window station (yes, there's a separate kernel object for
that in NT/Win32K).

~~~
JdeBP
It is the (secure) desktop, not the window station.

------
suresk
This has been a very sporadic issue that I've seen once or twice per year at
most, for quite a while with OS X - somehow, another window is able to steal
focus from the login screen. I've never been able to reproduce it reliably or
find a common element in all of the times it has happened, but it definitely
has happened to me and I've also seen co-workers dropping their login password
in a chat window due to this. But it is pretty rare, so hard to pin down.

I've also noticed another thing happening more lately - locking the screen,
only to have it automatically unlock itself a second or two later. I always
have to make sure it actually stays on the screensaver for a few seconds
before I trust it will actually lock.

------
csomar
I'm really bothered. While I had relatively no issues with the fresh OS X
update, I'm having a hard time with the iPhone 7 and the new iOS that is
supposed to run their flagship device: iPhone 10.

While most of the bugs have disappeared with the recent update, there are
still some minor ones that really pisses me off: Screen freezing
unresponsively for 30-60 seconds before things get back to control; and music
playing randomly (happened a few times. Everything calm. Boom, music starts to
play).

I'm pretty sure this mess wasn't here before the update to iOS 11.

Edit: Just found there is a new update. Let's see if they are getting their
shit together this time.

~~~
hashbig
Wouldn't be surprised if it was intentional. Apple is known for planned
obsolescence for their products, especially iPhones.

~~~
AlexandrB
I hear this line a lot and yet iPhones get the latest iOS updates for many
years after release while many Android phone are lucky to get 1 year of
updates.

~~~
hashbig
I would be much happier if Apple didn't "force" me to update my iPad with a
pop up message every day. It was running smooth like butter, even with an
older version of iOS.

------
runjake
I have had this happen with 10.12 and 10.11 on rare occasions. To my
knowledge, I'm not doing anything different on the occasions that it does
happen.

It wasn't Slack-specific as I've only started using Slack recently.

~~~
happyrock
It happened to me as well, but with HipChat.

------
lloydde
Although this bug still sucks, the class of problems of pasting passwords into
chat may have a simple, worthwhile, and general solution. A colleague at a
former company always changed the key bindings is his IRC/Jabber client to
include a control key with Return for sending a message. Does Slack have this
option?

------
rst
Even more fun if the focus happens to be on a terminal window...

~~~
breakingcups
I knew I shouldn't have picked 'rm -rf /' as a password

~~~
teekert
Haha, tried that a couple of months back before wanting to do a reinstall. The
system stopped me with some warning :) I think it was Arch but could have been
Ubuntu or Solus.

~~~
Gloire_a_Satan
There's a way to still do the rm -rf / bypassing the warning but you shouldn't
do that.

Ever since systemd was a thing, that command has stopped being 'safe'. It no
longers solely affect the filesystem. It can wipe your EFI variables and make
your comnputer unable to boot at all, even unable to boot installers to
reinstall linux.

[https://github.com/systemd/systemd/issues/2402](https://github.com/systemd/systemd/issues/2402)

Don't think of the file system as just the file system. If you keep thinking
of / as only meaning 'whatever's in that hard drive' you will not like what
you may encounter.

------
wruza
I also typed my apple id password to my peer, not into chat, but into another
mac in the same room. Mac keyboards can disconnect and connect to wrong
devices if used with them once.

That specific setting was: my keyboard was used to setup his mini, mini was
turned off and on later. My keyboard, already properly reconnected to my mac
at that time, disconnects on timeout (or for whatever reason it does that few
times a day). Mini “grabs” my keyboard when it goes back on air. I wake my
sleeping mac via trackpad and try to type my password into focused password
field. Non-obviously, no characters appear on _my_ screen.

------
rickyc091
Definitely done that before. Sent my password through Messages to a friend.
After that, I learned to keep the finder or a web browser as the thing in
focus before I lock my computer.

------
noahdesu
Last week I was resizing a window in High Sierra, and I noticed that the
Chrome app in the background was also scrolling. That was completely
unexpected. It's long been the case that the window doesn't need to be on top
for this behavior, but in this case it wasn't just a focus issue, it was that
I was in resize mode. Completely jarring when it happened, but seems related.

------
joefreeman
Sounds like the assumption is that the lack of focus means that the first
password got sent to Slack? But it seems more likely that it was the second
entry of the password that was sent to Slack, and it was just that the
keyboard input was being buffered? (So the first password-enter eventually got
processed, and then the second one got processed but after unlock.)

------
symlinkk
A similar thing happens to me sometimes with 1Password on the web. I'll click
the extension's icon and type in my password and realize I'm typing it into a
text box on the webpage. I've tried to reproduce it and I can't, so I have no
idea what the issue is. It freaks me out though.

------
polock
Microsoft employee saide. "Same issue as with using windows 10 with multiple
monitors/screens."

[https://us.teamblind.com/article/wtf-apple-
uBXwbJMc](https://us.teamblind.com/article/wtf-apple-uBXwbJMc)

------
donmb
Could not reproduce that. For me its impossible to not have the password field
focused. Hm?

~~~
ankushnarula
Same here. Running 10.12.6

~~~
CameronBanga
I think this is a 10.13-only bug, likely tied with some of the other password
entry bugs that have popped up due to a bunch of rework with how user
login/authentication work.

------
kuon
I had this bug once a long, long, LONG time ago, since then my password is a
sentence that's doesn't look like a password. Of course I'd still change it if
it went out to slack :)

------
DoodleBuggy
I have ran into this before, figured it was a generic login bug. Now I wonder
what/where my login credentials went. Lovely.

------
zeep
I'm always worried about this too... sometimes my session doesn't lock because
I was watching a video and I go ahead and type my password before looking when
I come back (some websites log all keystrokes).

------
martinp
Not surprised by these bugs any more.

The sheer amount of bugs in High Sierra is ridiculous, with the exception of
the root password bug, I've personally experienced the following bugs with my
Thunderbolt display:

* In 10.13 or 10.13.1 the built-in web camera was broken. The video would freeze after a few seconds when attempting to use the camera in FaceTime. This was fixed in 10.13.2.

* In 10.13.2 USB audio devices connected to the TB display no longer work properly. After playing audio through the device (USB DAC in my case) for 30-60 seconds, some sort of interference/electrical noise appears for 5-10 seconds every minute or so. I assume this has something to with "Improves compatibility with certain third-party USB audio devices." from the 10.13.2 release notes.

~~~
sccxy
For me it is impossible to update macOS too.

App Store is not working.

Downloading fix from website tells that my fusion drive is not compatible with
this kind of install. Use App Store.

I don't even have a fusion drive.

~~~
k3a
Why you are still using it then? Operating systems are very complicated
beasts, none is perfect but I like Linux the most. There are issues too but I
feel like I have more control over it.. Sometimes work reasons force people
into Mac/Windows though... :(

------
hhbbhhg
This sort of shit wouldn’t fucking happen if they put the login/lock screen
into its own separate and independent desktop like Windows does.

When _Windows_ is more secure than you, you have big problems.

In case someone thinks desktop Linux is better, it’s not. It’s much worse:
[https://www.jwz.org/blog/2015/04/i-told-you-so-
again/](https://www.jwz.org/blog/2015/04/i-told-you-so-again/)

~~~
veridies
FYI, that link now redirects to a somewhat NSFW imgur page mocking HN.

~~~
JdeBP
That has been already discussed on this very page at
[https://news.ycombinator.com/item?id=15879470](https://news.ycombinator.com/item?id=15879470)
.

------
yAnonymous
This is really Slack's fault for not automatically turning the password into
stars. IRC has done that for years!

~~~
andr
Citation: [http://bash.org/?244321](http://bash.org/?244321)

~~~
godzillabrennus
Amazing.

Reminds me of people being told in chat to hit F10 to enable cheats in
Counterstrike Source. Half the gamers would exit immediately.

~~~
lathiat
Have you seen the feature they added to the latest release of BitchX and
irssi?

Try it out: /disco party

------
gaius
This is why Windows NT ensures no user process can intercept Ctrl-Alt-Del.

~~~
JdeBP
No. It is nothing to do with secure attention.

This is why Windows NT runs the log-on user interface, the screen saver, and
the elevation consent UI on separate desktops that have restrictive ACLs
disallowing interactive user processes from creating windows there.

~~~
gaius
The SAS is _specifically_ so no one can hijack/spoof the password dialog. When
you enter it you can be 100% certain you are talking to NT.

~~~
kyberias
You're kinda both right. But the focus-protection part has nothing to do with
SAS.

~~~
gaius
Consider [https://superuser.com/a/61772](https://superuser.com/a/61772)

~~~
Someone1234
Not really sure what you think that adds.

Nobody is denying that the "anti-hijacking" forcing of CTRL-ALT-Delete adds to
security, what they're saying is that it has nothing to do with this topic.

This topic is about keyboard input focus. In Windows, due to the process
hierarchy the login UI isn't running in the same context as desktop
applications, so stealing focus or focus drift couldn't occur.

~~~
gaius
_This topic is about keyboard input focus._

Yes, and the SAS guarantees that after you enter it, nothing else can have
keyboard focus. I don't see why this is such a controversial point. You will
never come to unlock your NT workstation and find that the keyboard focus is
somewhere you don't expect, because you need to enter the SAS first.

~~~
zamalek
> I don't see why this is such a controversial point.

Because It's untrue. The SAS is a sanity check.

If something is spoofing a login screen on your desktop and you press
CTRL+ALT+DEL, you will get a system menu instead of a password prompt.

If you are in the login screen, which is able to hook CTRL+ALT+DEL, it will
switch to the password prompt.

Here's the clincher: even if you have the SAS disabled (which it is by default
on Windows 10) there is still no way for an app to steal focus from the login
screen. The keyboard focus assurances are handled by something completely
different - protected desktops (these also handle the UAC prompt for the most
secure setting).

Full circle: even though nothing can ever steal focus from the login screen
(unless it is running within that protected desktop), if you don't use the SAS
there is no way for you to know that you are looking at the real Windows login
screen.

~~~
nly
Normal apps can't, but it is possible to access other desktops, such as the
login screen, from a system service. I work on software that does it

------
ebbv
The quality of the software and the sacrifice of key functionality in the
hardware (dropping of MagSafe, which was a huge differentiator, going to just
USB-C ports which almost nothing supports, not even Apple's own in box phone
chargers) demonstrates that Apple is purely a design house lately. It has
completely faltered on the engineering side. Tim Cook is not an engineer and
Jony Ive is not an engineer. There are engineers at the company but they don't
seem to be getting a seat at the big table.

~~~
bartvk
You talk as though you're stating facts. However I very much like USB-C for
the usual reasons. Of course it's in the early stages, but personally I hook
up all my peripherals to my laptop with a single cable. Much convenience.

------
gcb0
on .2 already. Never had an unwatch to unlock. The ghost typing happened to me
yesterday. I never found out what got my password. hopefully it wasn't slack.
I assumed it just went to the "root window" (does quartz have the same
concepts as X?) of the lock screen

I usually press control key to wake up every computer (shift doesnt work on
some). that one time I woke it up by tapping on the touchpad.

------
VirtualAirwaves
Windows handles this nicely with User Account Control (UAC) and Secure Desktop
mode.

Many of OSX's problems come from trying to shoehorn security on top of
operating system concepts that were developed in 1969.

------
caiob
I may be wrong, but Slack might be hijacking the window order, there's def
some monkey business going on there.

~~~
oatmealsnap
Nothing should be able to hack outside of of the lock screen. That should
require some crazy special permissions.

~~~
DannyBee
The system allows things like key-triggered screen grabs during the login
password window (found this out when my 1 year old hit a bunch of keys), which
already seems like nonsense.

------
eamann
Apple has a bug bounty program where they'll legitimately pay you to report
bugs directly to them. What's with everyone reporting them to Twitter instead
and forgoing the extra cash?

~~~
Fishkins
People post on twitter because it actually gets a quick response. According to
Lemi Orhan Ergin, the root password bug had been reported to directly to Apple
five days before his tweet, but there was no response/fix. Then he tweeted
about it, and it was fixed the next day.

[https://medium.com/@lemiorhan/the-story-behind-anyone-can-
lo...](https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-
root-tweet-33731b5ded71)

