High Sierra root login bug was known weeks ago, if not longer. What should have happened?

John Gruber, in this Daring Fireball post:

It’s natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer.

And:

More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday — but that the people who had heretofore discovered it kept it to themselves.

Here’s a link to a thread in Apple’s Developer Forums. Scroll down to the post dated November 13th. From that post:

If you’re unable to login at startup using username: root and empty password, then login with your existing account (standard user).

Again, head over to System Preferences>Users & Groups. Click on the Lock Icon. When prompted for username and password, type username: root and leave the password empty. Press enter. This might throw an error, but try again immediately with the same username: root and empty password. This should unlock the Lock Icon.

There it is, in all its glory. This was a known issue a full two weeks ago. And well enough known that someone pulled it out as a recommendation for someone else. In other words, this was not discovered two weeks ago, it was already old hat. It’s possible this was discovered back in September, when High Sierra first shipped.

I get how a bug can sit there, undiscovered, for a long time. But (and this is my two cents) once it’s known, find a way to quietly and privately communicate this to Apple. There are many ways to do that. Filing a radar is the obvious first path, but what do you do if that does not get the attention of the right people?

Going to Twitter might seem the exact wrong approach, but I think that’s actually a pretty effective path, provided you do so without revealing any of the details in public. I’ve found that a tweet to @AppleSupport always yields a response. Start by saying you’ve got a significant security bug, but one whose details you don’t want to reveal in a public forum. I’ve no doubt the @AppleSupport mechanism will quickly offer you a path to start a private DM chat.

That’s my take. File a radar, then follow with an @AppleSupport tweet, but keep the details private. Give Apple a chance to fix this before word gets out. This isn’t about Apple’s reputation, this is about minimizing the misuse of a security breach.

UPDATE: Or, as Kirk McElhearn points out, check out the official Contact Apple About Security Issues support page.



  • Robert M Brown

    They did inform Apple privately, several days before. It took public disclosure to get Apple to act.

    https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-root-tweet-33731b5ded71

    • Oooh, days.

      What is the protocol to wait for a company to release a security patch, anyway? Days? A week or two? Months? Who gets to determine that? The company or the security professional/hacker?

      It’s just as likely to me that Apple was informed days before, they immediately began working on a fix or even had been prior to the announcement, the security “professional” jumped the gun and tweeted to the world, and Apple released the patch mere hours after the tweet.

      In my eyes, that security professional is an impatient ass.

      • Robert M Brown

        One day after being the public found out about it, in this case.

        Apple was informed AT LEAST days before. We don’t know if other reports had been filed.

        To answer your question, though, the customers decide. You know, the people actually made vulnerable.

        • rick gregory

          And when you rush out fixes, you make mistakes (see the file sharing issue).

          The public isn’t competent to decide this. There are norms and practices in the security community and bleating about an exploit like a spoiled brat because a bug isn’t fixed as fast as you think it should be isn’t one of them.

          Note – you also dont file a standard bug report or post on a forum. All of the larger companies and most smaller ones have special security contacts. Report them there.

        • “AT LEAST days before.” Uh, Radar number or it didn’t happen.

    • rick gregory

      He’s covering his ass there because he screwed up by not practicing responsible disclosure . Yay, he got his 15.

      • The funny thing is by screwing up reporting it he missed out on his official credit. History will forget the unofficial 15.

  • I have to say, if I were reporting a security bug I wouldn’t trust product-security@apple.com either. I’d DEFINITELY file a radar, MAYBE email product-security@apple.com, and DEFINITELY find an Apple engineer on Twitter and send them a “Hey, can you please look at this radar and make sure it hasn’t been ignored, because security?”

    Trick is to get someone with a good thinker to look at it and make sure it gets whatever internal flags it needs.