Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Updated to High Sierra, all Admin accounts now Standard (developer.apple.com)
251 points by JoshTriplett on Nov 29, 2017 | hide | past | favorite | 95 comments

I know stuff happens. Let me get that out of the way.

As someone who had been a Mac user for ~15 years, this is yet another example of news coming from Apple's general direction that makes me feel like Apple has stopped giving much attention to macOS.

Yes. They still work on it. But it feels like it gets table scraps, compared to the attention given iOS, and iOS devices.

It's the thought that runs through my head on learning that this issue had been on a public forum and nothing public from Apple in response.

I ended up switching to Windows 10 for a daily driver. It's been a painful move, the workflow (so far) isn't nearly as smooth.

I'm sad. I used to dismiss others who would opine and say Apple feels like it's on a quality decline. Unfortunately, I'm starting to agree with them.

Success may not the best teacher, it seems.

> But it feels like it gets table scraps, compared to the attention given iOS, and iOS devices.

This is the iOS on which it was impossible to type the letter "i." iOS may get more attention, but both operating systems seem to have lost the plot on software quality.

Imagine what Steve Jobs would've said in a meeting today at Apple HQ to discuss this incident.

"Can someone here explain to me what is the login dialog supposed to do? ... Ok. Then why the doesn't it do that???"

"You've tarnished Apple's reputation ... You should hate each other for having let each other down." (For the unfamiliar, Steve Jobs re: MobileMe.)

Been saying this since the trash icon stopped becoming eject on dragging volumes. Edit to clarify: the text stay ‘trash’

The lack of care begins with the little things then entropy takes over.

Strange, the trashcan has always turned into the eject icon when dragging volumes for me.

OP refers to the text besides the icon, not the icon itself, which still says "Trash".

Although that was a relatively recent addition to OSX. Mountain Lion perhaps?

Nope, not that early.

A big complaint I hear from people moving from MacOS to Windows is the lack of the Virtual Desktop feature.

Windows 10 actually has this, and it works really well.


this is a very old problem, at least the quality of security and ease of getting root access when you are physically at the machine... they have /never/ done a good job of this. its not decline, its just exposure... OS X has never been much of a target for security, because nearly nobody uses it... but having gained in popularity since the rise of iOS and introducing bootcamp etc. its getting more attention.

"i don't need an anti-virus i have a mac" was something i used to hear... its always just been security by obscurity as far as i have seen.

hopefully this will have the opposite effect to what you describe and they might start to take it seriously after being so lucky for years and years...

You switched to Windows because you

> feel like Apple has stopped giving much attention to macOS

despite it being

> a painful move, the workflow (so far) isn't nearly as smooth


I'm curious why you use your choice of OS/hardware to cast a tiny vote on the behavior of a vast corporation, instead of simply choosing the OS/hardware that you prefer. For me, the choice of laptop is too important for me to choose a worse laptop for those reasons.

If you're missing the unix workflow make sure to turn on Bash or Windows or mingw or what have you. Helps a lot with the transition.

Oh, I definitely have WSL enabled, but there are enough quirks with it that it definitely doesn't help.

One huge thing is that stuff you create gets set to 777. In the Windows environment, this is expected. But outside of /mnt/c I would figure that standard Linux perms would be honored. Nope. This has been very inconsistent.

That leads me to conclude that my options are either to figure out all the workarounds to do stuff from Windows natively, or keep a Linux VM handy.

VirtualBox in seamless mode works the charm for me!

Or, you could just run Linux.

I used to be jealous of people that ran Macs or Windows because they did seem to "just work" better than a Linux machine, though had inferior packaging systems and security features.

These days, my Dell laptop running Ubuntu 16.04 seems to have less problems with audio/video in conference calls than the Macs my coworkers use, and there are vendors like Dell or System76 that'll sell you a pre-configured system if you don't want to fiddle with things.

It's safe to assume I considered this option.

This won't work for a host of reasons.

If it was an option, it'd be my first choice.

I guess this is worth taking into account when discussing "responsible" disclosure. It's such a glaring vulnerability that other people already knew about and shared publicly (although seemingly no-one in that forum thread considered it a security issue).

A lot seem to think there's only one way to responsibly disclose vulnerabilities (e.g. https://news.ycombinator.com/item?id=15800676), but that's really not the case at all if end-user security is the priority. It's very likely that quite a few already used this maliciously as well, and the more responsible thing to do in that case probably was to announce it (along with a temporary mitigation) to as many people as possible.

Btw credit to https://twitter.com/fristle/status/935670476214378496 for finding this!

Coordinated Disclosure notes are here:https://github.com/joelparkerhenderson/coordinated_disclosur...

(Note: Coordinated Disclosure is the newer term for what had been called Responsible Disclosure)

Uhh.... are you sure you're commenting on the right story?

Pretty sure they are. What other post could they be commenting on?

The other one where somebody posted this on Twitter. This one:


No I linked to that story in my comment :) I suspect grandparent missed the context because the title of this story was changed from "Apple security vulnerability posted on developer forums as troubleshooting tip" to "Updated to High Sierra, all Admin accounts now Standard".

I've updated my comment to include a link to the source for context.

You're 100% correct, that's why I didn't get the context. The title had already changed.

Wellll, it sure is a good thing that users can just login as root now in order to fix this!

The user should've properly disclosed his troubleshooting tips with Apple first.

EDIT: /s

Apple needs to fix their bounty program first.

The blame goes to Apple, no one else.

Stop shooting messagers. What kind of society do we live in where people disclosing wrong doings and crimes are the ones going to jail while the others get away with it.

The post doesn't read like the user thought the tips constituted any type of security issue. They might have thought it was expected, but not well known, behavior.

Yeah, as another person pointed out in this thread, this post really puts a kink in the whole "proper security channels" argument.

The macOS vulnerability was apparently a known thing, POSTED VISIBLY on Apple's own forums, and it reads as if the user got this "helpful tip" from somewhere else.

This is pretty nuts.

It's really frightening knowing that this was probably well known to other players for months.

High Sierra went gold on September 25. Beta 1 came out in June, I think.

What if the user has no idea that this is a bug and it was not a feature? In the other thread tons of fanboys attacked the guy that shared this on twitter, turns out now that the issue was already known so at least now people that administrate Mac machines can take action and apply the workarounds.

Read the whole thread…

(The title was changed and now the context is confusing.)

Oh I did.

In fact I did not until I saw your comment and read the thread hoping someone posted the same joke in the thread itself. The realization was painful.

"Note: This solution might be specific to High Sierra"

"Solution 2 worked for me. No idea how or why. Hope this helps."

User seems to have known about it at least 2 weeks ago. Wonder if they realized that it's a glaring security issue. It's hard to tell from the comment if this something they found themselves or saw or heard about it from someone else.

It would be interesting to search other forums, maybe in different languages to see how long has this been known.

One would imagine that 'root' would be a ubiquitous search term, regardless of the language in question.

I swear to god Apple’s software quality has been going to hell in a hand basket in recent years. I think they really need someone like Forstall back.

Indeed. Someone needs to cry their way to the unemployment line for this.

This needs to be more visible. The linked Tweet:

"macos 10.13 bug isn't limited to root in all circumstances; via ARD, you can log in as any existing user (e.g. _applepay) and share the screen of the logged-in user. also _uucp is allowed to log in"

So even the current workaround of changing/creating the root password is not enough.

Hint for those looking: It's towards the bottom 3/4ths of the page

Ctrl+F: "Note: This solution might be specific to High Sierra"

Interestingly that post, with its two solutions and the note that "Solution 2 worked for me", gives an impression of being pasted from some other documentation or a conversation with a support technician. That just raises more questions!

I've been an Apple fan for a long time, but the recent issues with their software are a great concern for me. I can't imagine why the problems exist given Apple's resources. I can only assume that they are using all their massive resources to make something so new and revolutionary that they don't have much left over to devote to things like the Mac.

But that's probably not what's going on, so I'm at a loss. And really disappointed.

Apple, get your act together. We miss you.

Tip: If it says "we're having trouble processing your login", that's due to a bug in Apple's SSO; refresh your expired developer.apple.com login cookie at that site directly and then try again.

(If you're reading this and you work for Apple, it's been a problem for several years, and it'd be truly swell if it showed a login page instead of an error page.)

https://forums.developer.apple.com/thread/79235#277225 points to the disclosure posting.

Good thing most minor Mac OS updates breaks critical stuff, as most people I know have hold off updating yet..

Known issues at work includes a lot of programs no longer working, cannot longer change password on the domain so when it expires you are screwed, etc. And things like this happens all the time.

Holding off on updating is a great strategy but for how long will we have the choice? Forced updates are slowly creeping into MacOS after MS has led the way with Windows.

I have no idea how a blank password wouldn't be a standard test case for apple...

The trick here is you seem to need to run that test twice to catch the error. As I read things - the first time you try to log in as root with an empty password, it creates the root account (but doesn't log you in) - the _second_ time you win.

The question (and the bug) seems to be why is it creating this account in the first place

Oh sure. But there's a very plausible explanation why "the obvious test" might not have caught this bug...

If your testers only test the obvious things you're screwed.

You can't ensure correctness by testing. You can only hope to find some of the bugs.

This one in particular doesn't strike me as something that the testers should've caught. It's something that the development process shouldn't have allowed to happen, in the first place.

In my time as CTO in different companies, this would be something testers would have tested, perhaps not at the first release but over time.

Especially if QA does exploratory testing[1] instead of defined test cases (which should be automated away anyway).

[1] https://en.wikipedia.org/wiki/Exploratory_testing

Yes. Testers usually just test for regressions. Bugs once fixed should not reappear again. The rest is pure luck.

The standard password dialog certainly needs to be tested with repeated password entry as it will display the account password 'hint' at (I think) the 3rd unsuccessful try.

There is /no excuse/ for this unbelievable security hole. Total fail on Apple's part.

glad to see the suggested fix before the exploit is to use the standard google result from "how to hack a mac" and is by design.

OS X has never been secure in my experience other than through obscurity and lack of physical presence. it is the only OS that i have always been able to steal root from by googling how...

hopefully this will encourage people to take this a bit more seriously, and maybe apple to raise the bar to where linux or windows have it, where i can't 'just' google something dumb and break in with physical access and have to make a more serious effort.

This is insane. Certainly not the quality of software we expect from Apple after paying big dollars. I'd love to spend a week/month or however long it takes to build a Linux equivalent of MacOS that just works and guard it like a golden eagle, but unfortunately, the lack of display scaling to non-integer multipliers, and sane power efficiency still keeps it a pipe dream for use on Laptops.

I've been pretty happy with Gnome on Wayland but its limitation on scaling to integers does chafe. 1.5 would be ideal but I muddle through with 2.

This particular message: https://forums.developer.apple.com/thread/79235#234143

It suggests using "root" with empty password, and hitting Enter twice. So some people knew about it all along? This is really weird.

[meta] Also this is not a dupe thread, it brings up a different point. Mods, please do not mark it as dupe.

https://news.ycombinator.com/item?id=15800676 is on the front page and fundamentally the same story, so I guess we need to treat this one as the dupe.

I am glad to have found this story, as it is newsworthy in its own right. The story you linked does not mention how early it was disclosed. I think marking it is a dupe is the wrong decision. (Same goes for changing the title.)

Hi dang,

Isn't this also newsworthy though? The vulnerability wasn't just discovered and posted to Twitter this morning, but rather mentioned nonchalantly on Apple's own Developer Forums back on November 13!

Exactly. I intentionally posted this separately, because it's particularly interesting where and how the vulnerability was originally posted. And it certainly seems to have attracted some discussion.

Sure it's interesting. It's the same vulnerability, though, and so clearly the same story by HN's standard. Our test for that tends to be rather coarse-grained because there are so few slots on the front page.

One indication of dupiness is whether the comments are different across the two threads. In the present case we've got comments about software quality at Apple, responsible disclosure, and so on, that are very much the same as the comments in the other thread. So it's really the original discussion spilling over.

For cases like this the best thing is to keep the auxiliary story as a link from the main thread. People will find it that way.

When that happens, is it feasible to merge the discussion threads somehow, such as somehow turning the post into a comment on the other story and including the discussion from that post under it?

Yes, we do that all the time. I'm not sure why we didn't in this case.

This item is very much not a dupe imho.

It points to the original, as far as we know, disclosure of the problem and a relevant discussion.

Is this only new bug specific to High Sierra?

I am still on Sierra so I want to make sure Sierra does not contain this horrific backdoor.

Can anybody confirm?

Updated with no problem at all.

The title on this link is misleading. The link is notable because the posted solution by chethan177 (a week ago) describes the passwordless root login bug that gained notoriety after being disclosed on Twitter earlier today.

Two weeks, in fact!

this has got to be the "butt fumble" of technology.

The original title was much clearer, after changing the title of this submission, there's no context anymore for people to understand why it's important.

It's important because it shows that people have known about the root vulnerability currently discussed on twitter at least 2 weeks ago and were discussing it on Apple's support forum.

EDIT: Original title was "Apple security vulnerability posted on developer forums as troubleshooting tip"

What was the original title?

"Apple security vulnerability posted on developer forums as troubleshooting tip"

To be fair, "originally disclosed" would get the point across more readily than "posted".

To fix this, just set your root password.

Apparently other accounts are affected, too e.g. _applepay, _uucp [1]

[1] https://twitter.com/unsynchronized/status/935656609140711426

They are affected but at least they don't have root privileges.

That is no fix. That is a workaround.

If you’re going to be pedantic, you need to define the audience. There are many people who read this page. This is a fix for the issue from a usability standpoint, but it is a workaround for the vulnerability from a software standpoint.

HN mods: Principled obfuscation and relevance reduction as a service.

Apple is the new Microsoft in 2017

you're ten years late.

apple is the old Microsoft (everyone uses and aren't even aware of alternatives. standard office equipment. acquires everyone and takes a decade to market what they bought. embrace extend extinguish.)

Microsoft is the the old IBM (very big corporations)

Google is the old apple. (some niche stuff, extremely greedy and evil and hellbent into lock-in tactics, but with tons of fanboys)

This is completely inaccurate, and such a Bay Area/HN bubble view.

Apple's most popular devices, phones and tablets, are dwarfed by Android. Their laptops and desktops might have a 5% market share.

Even among the much smaller developer community the majority of development doesn't occur on Mac.

Apple's most popular devices, phones and tablets, are dwarfed by Android.

You’re making the classic mistake regarding Apple: marketshare. It’s mostly a vanity metric to avoid looking at other, more relevant issues.

In 2016, the iPhone captured 79 percent of global smartphone profits—$44.9 of $53.7 billion.[1]

And that’s with only 14.5 percent of the global marketshare, although they do have 35 percent of the U.S. market[2]

Since 2007, Apple has sold over 1.2 billion iPhones singlehandedly; it has to be the single best selling electronic device ever.

Once you get past Samsung, there’s a bunch of companies selling Android phones who are around breakeven at best.

Their laptops and desktops might have a 5% market share. Even among the much smaller developer community the majority of development doesn't occur on Mac.

According to statcounter, the Mac’s U.S. marketshare is 11%.[3]

If you were to track the market for desktops and laptops that aren’t encased in plastic, don’t ship with crapware and malware, the Mac’ marketshare is much higher. ;-)

Anecdotally, I can tell you as someone who’s fairly active in the tech scene in the Cambridge/Boston area, Macs are everywhere, especially at startups: foosball table, craft beer, MacBook Pros.

Back in the day, MIT’s Sloan School of Business did not support Macs. (I worked at MIT for 14 years until 2007). Back then, they had deals with Dell and for ThinkPads. Fast forward to the present day: the most common MBA these days at Sloan is the MacBook Air.

Even after all of these years, the Mac just had its best quarter ever—a little over $25 billion in revenue.[4]

And apparently the Apple Watch is the best selling watch of any kind—in the world.

Meanwhile, every company that was supposed to be the Apple killer—Nokia, Motorola, Dell, Microsoft, Blackberry (née RIM), etc. are either gone or are just shadows of their former selves. Remember when Steve Balmer laughed when asked about the iPhone in 2007?

[1]: https://www.macrumors.com/2017/03/07/apple-global-smartphone...

[2]: https://techcrunch.com/2017/10/13/ios-and-samsung-market-sha...

[3]: http://gs.statcounter.com/os-market-share/all/united-states-...

[4]: http://files.shareholder.com/downloads/AAPL/5378826958x0x962...

The context is popularity and usage: that is, the "vanity metric" of market share. The contention was that "Apple is the old Microsoft" in the sense that it's everywhere and people struggle to name a competitor. The assertion was egregiously wrong, whether their market share is 5% or 11%, anecdotes or no. Plenty of people (the vast majority) not only can name a competitor to Apple's offerings but actually use one!

Your comment about everyone using Apple is accurate only for certain wealthy and highly educated subsets of certain western nations.

This same subset is where Microsoft made its bread and butter for two decades, and still continues to earn a pretty penny.

That’s changing; from the last quarterly report transcript:[1]

During the quarter we sold 46.7 million iPhones, up 3 percent over last year. We were very pleased to see double digit iPhone growth in many emerging markets, including mainland China, the Middle East, Central and Eastern Europe, India, and Mexico.

They report stuff like this every quarter.

[1]: https://www.macrumors.com/2017/11/02/apple-q4-2017-earnings-...

Yes, this thread is about laptops though, not phones.

Apple is the same faceless corporation as any other.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact