High Sierra root login bug was known weeks ago, if not longer. What should have happened?

John Gruber, in this Daring Fireball post:

It’s natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer.


More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday — but that the people who had heretofore discovered it kept it to themselves.

Here’s a link to a thread in Apple’s Developer Forums. Scroll down to the post dated November 13th. From that post:

If you’re unable to login at startup using username: root and empty password, then login with your existing account (standard user).

Again, head over to System Preferences>Users & Groups. Click on the Lock Icon. When prompted for username and password, type username: root and leave the password empty. Press enter. This might throw an error, but try again immediately with the same username: root and empty password. This should unlock the Lock Icon.

There it is, in all its glory. This was a known issue a full two weeks ago. And well enough known that someone pulled it out as a recommendation for someone else. In other words, this was not discovered two weeks ago, it was already old hat. It’s possible this was discovered back in September, when High Sierra first shipped.

I get how a bug can sit there, undiscovered, for a long time. But (and this is my two cents) once it’s known, find a way to quietly and privately communicate this to Apple. There are many ways to do that. Filing a radar is the obvious first path, but what do you do if that does not get the attention of the right people?

Going to Twitter might seem the exact wrong approach, but I think that’s actually a pretty effective path, provided you do so without revealing any of the details in public. I’ve found that a tweet to @AppleSupport always yields a response. Start by saying you’ve got a significant security bug, but one whose details you don’t want to reveal in a public forum. I’ve no doubt the @AppleSupport mechanism will quickly offer you a path to start a private DM chat.

That’s my take. File a radar, then follow with an @AppleSupport tweet, but keep the details private. Give Apple a chance to fix this before word gets out. This isn’t about Apple’s reputation, this is about minimizing the misuse of a security breach.

UPDATE: Or, as Kirk McElhearn points out, check out the official Contact Apple About Security Issues support page.