Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by martyb on Thursday November 30 2017, @07:56AM   Printer-friendly
from the Security?-We-don't-need-no-steenkin-security! dept.

You can log in as root on the latest version of MacOS by pressing enter on the login prompt a few times. Just type in root as the user and press enter. There you go no password required.

Not sure what else to say; is this the stupidest massive security hole ever?

From Extreme Tech:

Reproing the bug is simple (at least until Apple fixes it): Type the login "root," then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.

This was also reported at Ars Technica. Beware that the behavior seems to be that if you do not already have a root account with a (preferably strong) password, this bug essentially creates a root account with an empty password. Attempting this on your own system should be followed up by ensuring that any root a count has a strong password.

There is a patch that has just been made available; again according to Ars Technica:

Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.

Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by JoeMerchant on Thursday November 30 2017, @01:04PM (4 children)

    by JoeMerchant (3937) on Thursday November 30 2017, @01:04PM (#603411)

    Thanks for the heads-up... have considered dd-wrt many times over the years but never taken the plunge.

    I did discover (a few days ago, after years of installation) that my Linksys router conspired with my PoE camera to have uPnP enabled by default, advertising my camera to the open internet without my knowledge. Figured it out when I found random accesses to the camera from all over the web in my logs - couldn't get them to stop with service blocking on the camera's IP which really concerned me - but then I finally found the uPnP page and the camera was the only thing on it - disabled that and the accesses have stopped.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by JoeMerchant on Thursday November 30 2017, @01:10PM

    by JoeMerchant (3937) on Thursday November 30 2017, @01:10PM (#603412)

    Sorry - not Linksys - NETGEAR WNR3500L
    RangeMax Wireless-N Gigabit Router with USB

    wouldn't be shocked if Linksys does it too... for "feature" parity.

    --
    🌻🌻 [google.com]
  • (Score: 3, Insightful) by Knowledge Troll on Thursday November 30 2017, @02:23PM (2 children)

    by Knowledge Troll (5948) on Thursday November 30 2017, @02:23PM (#603427) Homepage Journal

    Your camera used UPnP to open up a port forward on the router all on it's own? Holy shit what a nightmare.

    • (Score: 2, TouchĂ©) by Anonymous Coward on Thursday November 30 2017, @03:30PM

      by Anonymous Coward on Thursday November 30 2017, @03:30PM (#603462)

      You can't expect people to deal with technical mumbo-jumbo when they bought a shiny new camera to spy on their pets and kids when they are at work.

    • (Score: 1, Interesting) by Anonymous Coward on Thursday November 30 2017, @05:49PM

      by Anonymous Coward on Thursday November 30 2017, @05:49PM (#603543)

      Yep, and UPnP is the default state for most consumer routers. My parents followed the suggestion they saw online of using a three router setup. They called me when their internet stopped working and "tech support" called and said they wouldn't be reconnected until they fixed something or had one of their techs fix it. My parents balked as they thought it was a scam, but the internet didn't work anymore. Turns out they had an Internet of Insecure Things PoS used UPnP to punch holes through both routers it was connected to expose itself to the Internet on multiple ports. Thankfully, the ISP caught it while scanning their own network and the open ports (http, https, SAMBA, FTP, and something else I'm forgetting) would have been filtered by their firewall so no risk of infection.