A new bug on MacOS allowed any user to log in as the full-privilege admin user “root” just by entering root as login and pressing enter.
Image: John Bumstead
UPDATE, Wednesday Nov. 29, 11:58 a.m. ET: On Wednesday morning, Apple issued a patch for the bug. The company also released a statement:
"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Asked to clarify whether anyone at Apple was aware of the issue before Tuesday, a spokesperson said that "our security engineers became aware of this just yesterday afternoon."
The original story follows below:
Software has bugs. That will always be true. But some bugs can be worse than others. Some can be incredibly dumb.
A new bug in Apple’s operating system MacOS allowed anyone to become an admin by entering “root” as login and then pressing enter.
Yes, you read that right.
This means that if you were a user without full privileges on a computer, you could become one just by taking advantage of this bug. That is not how authentication is supposed to work, in case you’re wondering.
“This is so dumb,” Jay Little, a security researcher at security firm Trail of Bits, told me via chat. “This behavior is new so it happened because of a change, and this regression shows the change wasn’t well tested, if tested at all. The implications are that restricted accounts for kids or students [or enterprise users] won’t actually be restricted and be able to make system wide changes.”
“This is so dumb.”
Several information security professionals confirmed to Motherboard that they could reproduce the bug on MacOS 10.13, the latest version of the operating system. The researchers said that the bug worked both in the system preferences as well as in the lock screen.
Apple did not immediately respond to a request for comment.
This bug allowed any user logged into MacOS to authenticate as root without entering an admin password. And if the Mac has more than one user, this attack worked even if the computer was locked. It would not work from a cleanly booted Mac if the hard drive was encrypted with Apple’s full disk encryption FileVault, Little explained.
According to Mac security researcher Pedro Vilaca, the bug allowed someone to change other users’ passwords since the bug unlocked the system keychain.
Lemi Orhan Ergin, the developer who first tweeted about the bug, told me via Twitter direct message that one of his colleagues told him about the vulnerability. “They tried the same thing at my machine and worked. It scared us a lot. They assigned passwords to all macs in my company to fix that hole today.”
It didn't look like you could take advantage of this bug remotely, according to another researcher who was testing the bug. But if you’re worried about someone walking to your unlocked laptop (never leave it unlocked, by the way) and messing around, you should set a root password.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.