
Updated to High Sierra, all Admin accounts now Standard - JoshTriplett
https://forums.developer.apple.com/thread/79235#
======
akulbe
I know stuff happens. Let me get that out of the way.

As someone who had been a Mac user for ~15 years, this is yet another example
of news coming from Apple's general direction that makes me feel like Apple
has stopped giving much attention to macOS.

Yes. They still work on it. But it feels like it gets table scraps, compared
to the attention given iOS, and iOS devices.

It's the thought that runs through my head on learning that this issue had
been on a public forum and nothing public from Apple in response.

I ended up switching to Windows 10 for a daily driver. It's been a painful
move, the workflow (so far) isn't nearly as smooth.

I'm sad. I used to dismiss others who would opine and say Apple feels like
it's on a quality decline. Unfortunately, I'm starting to agree with them.

Success may not the best teacher, it seems.

~~~
LoSboccacc
Been saying this since the trash icon stopped becoming eject on dragging
volumes. Edit to clarify: the text stay ‘trash’

The lack of care begins with the little things then entropy takes over.

~~~
stanmancan
Strange, the trashcan has always turned into the eject icon when dragging
volumes for me.

~~~
e_proxus
OP refers to the text besides the icon, not the icon itself, which still says
"Trash".

------
runesoerensen
I guess this is worth taking into account when discussing "responsible"
disclosure. It's such a glaring vulnerability that other people already knew
about and shared publicly (although seemingly no-one in that forum thread
considered it a security issue).

A lot seem to think there's only one way to responsibly disclose
vulnerabilities (e.g.
[https://news.ycombinator.com/item?id=15800676](https://news.ycombinator.com/item?id=15800676)),
but that's really not the case at all if end-user security is the priority.
It's very likely that quite a few already used this maliciously as well, and
the more responsible thing to do in that case probably was to announce it
(along with a temporary mitigation) to as many people as possible.

Btw credit to
[https://twitter.com/fristle/status/935670476214378496](https://twitter.com/fristle/status/935670476214378496)
for finding this!

~~~
beedogs
Uhh.... are you sure you're commenting on the right story?

~~~
AnkhMorporkian
Pretty sure they are. What other post could they be commenting on?

~~~
strictnein
The other one where somebody posted this on Twitter. This one:

[https://news.ycombinator.com/item?id=15800676](https://news.ycombinator.com/item?id=15800676)

~~~
runesoerensen
No I linked to that story in my comment :) I suspect grandparent missed the
context because the title of this story was changed from _" Apple security
vulnerability posted on developer forums as troubleshooting tip"_ to _"
Updated to High Sierra, all Admin accounts now Standard"_.

I've updated my comment to include a link to the source for context.

~~~
AnkhMorporkian
You're 100% correct, that's why I didn't get the context. The title had
already changed.

------
needcaffeine
Wellll, it sure is a good thing that users can just login as root now in order
to fix this!

~~~
dentemple
The user should've properly disclosed his troubleshooting tips with Apple
first.

EDIT: /s

~~~
BoorishBears
The post doesn't read like the user thought the tips constituted any type of
security issue. They might have thought it was expected, but not well known,
behavior.

~~~
dentemple
Yeah, as another person pointed out in this thread, this post really puts a
kink in the whole "proper security channels" argument.

The macOS vulnerability was apparently a known thing, POSTED VISIBLY on
Apple's own forums, and it reads as if the user got this "helpful tip" from
somewhere else.

This is pretty nuts.

------
rdtsc
"Note: This solution might be specific to High Sierra"

"Solution 2 worked for me. No idea how or why. Hope this helps."

User seems to have known about it at least 2 weeks ago. Wonder if they
realized that it's a glaring security issue. It's hard to tell from the
comment if this something they found themselves or saw or heard about it from
someone else.

It would be interesting to search other forums, maybe in different languages
to see how long has this been known.

~~~
AnkhMorporkian
One would imagine that 'root' would be a ubiquitous search term, regardless of
the language in question.

------
Cookingboy
I swear to god Apple’s software quality has been going to hell in a hand
basket in recent years. I think they really need someone like Forstall back.

~~~
CodeWriter23
Indeed. Someone needs to cry their way to the unemployment line for this.

------
masterleep
[https://twitter.com/unsynchronized/status/935656609140711426](https://twitter.com/unsynchronized/status/935656609140711426)

~~~
SyneRyder
This needs to be more visible. The linked Tweet:

"macos 10.13 bug isn't limited to root in all circumstances; via ARD, you can
log in as any existing user (e.g. _applepay) and share the screen of the
logged-in user. also _uucp is allowed to log in"

So even the current workaround of changing/creating the root password is not
enough.

------
BoorishBears
Hint for those looking: It's towards the bottom 3/4ths of the page

Ctrl+F: "Note: This solution might be specific to High Sierra"

~~~
tesseract
Interestingly that post, with its two solutions and the note that "Solution 2
worked for me", gives an impression of being pasted from some other
documentation or a conversation with a support technician. That just raises
more questions!

------
hellofunk
I've been an Apple fan for a long time, but the recent issues with their
software are a great concern for me. I can't imagine why the problems exist
given Apple's resources. I can only assume that they are using all their
massive resources to make something so new and revolutionary that they don't
have much left over to devote to things like the Mac.

But that's probably not what's going on, so I'm at a loss. And really
disappointed.

Apple, get your act together. We miss you.

------
floatingatoll
Tip: If it says "we're having trouble processing your login", that's due to a
bug in Apple's SSO; refresh your expired developer.apple.com login cookie at
that site directly and then try again.

(If you're reading this and you work for Apple, it's been a problem for
several years, and it'd be truly swell if it showed a login page instead of an
error page.)

------
l2dy
[https://forums.developer.apple.com/thread/79235#277225](https://forums.developer.apple.com/thread/79235#277225)
points to the disclosure posting.

------
maaaats
Good thing most minor Mac OS updates breaks critical stuff, as most people I
know have hold off updating yet..

Known issues at work includes a lot of programs no longer working, cannot
longer change password on the domain so when it expires you are screwed, etc.
And things like this happens all the time.

~~~
pentae
Holding off on updating is a great strategy but for how long will we have the
choice? Forced updates are slowly creeping into MacOS after MS has led the way
with Windows.

------
chuckie512
I have no idea how a blank password wouldn't be a standard test case for
apple...

~~~
bigiain
The trick here is you seem to need to run that test twice to catch the error.
As I read things - the first time you try to log in as root with an empty
password, it creates the root account (but doesn't log you in) - the _second_
time you win.

~~~
raverbashing
The question (and the bug) seems to be why is it creating this account in the
first place

~~~
bigiain
Oh sure. But there's a very plausible explanation why "the obvious test" might
not have caught this bug...

~~~
_Codemonkeyism
If your testers only test the obvious things you're screwed.

~~~
virgilp
You can't ensure correctness by testing. You can only hope to find some of the
bugs.

This one in particular doesn't strike me as something that the testers
should've caught. It's something that the development process shouldn't have
allowed to happen, in the first place.

~~~
_Codemonkeyism
In my time as CTO in different companies, this would be something testers
would have tested, perhaps not at the first release but over time.

Especially if QA does exploratory testing[1] instead of defined test cases
(which should be automated away anyway).

[1]
[https://en.wikipedia.org/wiki/Exploratory_testing](https://en.wikipedia.org/wiki/Exploratory_testing)

------
jheriko
glad to see the suggested fix before the exploit is to use the standard google
result from "how to hack a mac" and is by design.

OS X has never been secure in my experience other than through obscurity and
lack of physical presence. it is the only OS that i have always been able to
steal root from by googling how...

hopefully this will encourage people to take this a bit more seriously, and
maybe apple to raise the bar to where linux or windows have it, where i can't
'just' google something dumb and break in with physical access and have to
make a more serious effort.

------
reacharavindh
This is insane. Certainly not the quality of software we expect from Apple
after paying big dollars. I'd love to spend a week/month or however long it
takes to build a Linux equivalent of MacOS that just works and guard it like a
golden eagle, but unfortunately, the lack of display scaling to non-integer
multipliers, and sane power efficiency still keeps it a pipe dream for use on
Laptops.

~~~
zerocrates
I've been pretty happy with Gnome on Wayland but its limitation on scaling to
integers does chafe. 1.5 would be ideal but I muddle through with 2.

------
alpb
This particular message:
[https://forums.developer.apple.com/thread/79235#234143](https://forums.developer.apple.com/thread/79235#234143)

It suggests using "root" with empty password, and hitting Enter twice. So some
people knew about it all along? This is really weird.

------
alpb
[meta] Also this is not a dupe thread, it brings up a different point. Mods,
please do not mark it as dupe.

------
dang
[https://news.ycombinator.com/item?id=15800676](https://news.ycombinator.com/item?id=15800676)
is on the front page and fundamentally the same story, so I guess we need to
treat this one as the dupe.

~~~
miles
Hi dang,

Isn't this also newsworthy though? The vulnerability wasn't just discovered
and posted to Twitter this morning, but rather mentioned nonchalantly on
Apple's own Developer Forums back on November 13!

~~~
JoshTriplett
Exactly. I intentionally posted this separately, because it's particularly
interesting where and how the vulnerability was originally posted. And it
certainly seems to have attracted some discussion.

~~~
dang
Sure it's interesting. It's the same vulnerability, though, and so clearly the
same story by HN's standard. Our test for that tends to be rather coarse-
grained because there are so few slots on the front page.

One indication of dupiness is whether the comments are different across the
two threads. In the present case we've got comments about software quality at
Apple, responsible disclosure, and so on, that are very much the same as the
comments in the other thread. So it's really the original discussion spilling
over.

For cases like this the best thing is to keep the auxiliary story as a link
from the main thread. People will find it that way.

~~~
JoshTriplett
When that happens, is it feasible to merge the discussion threads somehow,
such as somehow turning the post into a comment on the other story and
including the discussion from that post under it?

~~~
dang
Yes, we do that all the time. I'm not sure why we didn't in this case.

------
richardknop
Is this only new bug specific to High Sierra?

I am still on Sierra so I want to make sure Sierra does not contain this
horrific backdoor.

Can anybody confirm?

------
agentPrefect
Updated with no problem at all.

~~~
tesseract
The title on this link is misleading. The link is notable because the posted
solution by chethan177 (a week ago) describes the passwordless root login bug
that gained notoriety after being disclosed on Twitter earlier today.

~~~
colanderman
Two weeks, in fact!

------
jaequery
this has got to be the "butt fumble" of technology.

------
nicolas_t
The original title was much clearer, after changing the title of this
submission, there's no context anymore for people to understand why it's
important.

It's important because it shows that people have known about the root
vulnerability currently discussed on twitter at least 2 weeks ago and were
discussing it on Apple's support forum.

EDIT: Original title was "Apple security vulnerability posted on developer
forums as troubleshooting tip"

~~~
IncRnd
To fix this, just set your root password.

~~~
programmarchy
Apparently other accounts are affected, too e.g. _applepay, _uucp [1]

[1]
[https://twitter.com/unsynchronized/status/935656609140711426](https://twitter.com/unsynchronized/status/935656609140711426)

~~~
thorin1
They are affected but at least they don't have root privileges.

------
soulchild37
Apple is the new Microsoft in 2017

~~~
gcb0
you're ten years late.

apple is the old Microsoft (everyone uses and aren't even aware of
alternatives. standard office equipment. acquires everyone and takes a decade
to market what they bought. embrace extend extinguish.)

Microsoft is the the old IBM (very big corporations)

Google is the old apple. (some niche stuff, extremely greedy and evil and
hellbent into lock-in tactics, but with tons of fanboys)

~~~
Myrmornis
Your comment about everyone using Apple is accurate only for certain wealthy
and highly educated subsets of certain western nations.

~~~
alwillis
That’s changing; from the last quarterly report transcript:[1]

 _During the quarter we sold 46.7 million iPhones, up 3 percent over last
year. We were very pleased to see double digit iPhone growth in many emerging
markets, including mainland China, the Middle East, Central and Eastern
Europe, India, and Mexico._

They report stuff like this every quarter.

[1]:
[https://www.macrumors.com/2017/11/02/apple-q4-2017-earnings-...](https://www.macrumors.com/2017/11/02/apple-q4-2017-earnings-
call-transcript/)

~~~
Myrmornis
Yes, this thread is about laptops though, not phones.

