Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
-
-
-
Pretty sure
@Apple announced the OneClick BlankRoot feature during their macOS High Sierra reveal. Here is the clip from the WWDC 2017 Keynote:
pic.twitter.com/y2WSoXI6Hw -
Here, I found the sound that goes with that clip.pic.twitter.com/qSM766J0h6
-
Ah, nice! I accidentally dropped audio when transcoding. Thx
- 1 more reply
New conversation -
-
-
Why do you tweet about this, like you called it, huge security issue instead of contacting apple via mail in first place ? With this tweet you made this issue even bigger. Not very responsible.
-
It's not his job to be responsible for these issues. I understand where you and many others are coming from, but it was on Apple to get this right. Honestly, Apple deserves to be blasted for being so careless. Let the people know.
-
Responsibility comes with finding this kind of flaws … Sure it’s apple job to prevent and fix those issues, but there are many people out there who depend on a „safe“ OS or work in security related jobs … And this is not helpful.
-
Can you say with certainty that nobody was aware of the issue before this? Attempting to login as root twice is all it takes. Because of this tweet people are becoming aware of the issue and workarounds to make their system ACTUALLY secure. Being ignorant of the it isn't secure.
-
Responsible disclosure is about protecting people. With it, you might have a handful that know of a vuln, and a patch before it becomes public. Without it, you rely on everyone getting the news fast enough to implement defenses before the script kiddies get you.
-
Great explanation, thanks :)
- 1 more reply
New conversation -
-
-
I fully support
@Apple suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman". -
Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
-
No, there are ethical disclosure systems. This puts millions of computers at risk. You don't expose zero days like this. Apple will probably not sue them, but I would be fully supportive of it if they do so.
-
Apple can’t sue him for tweeting them about *their* mistake. He hasn’t put anyone at risk, Apple did. They need to fix it, but they also need to test better.
-
"Hey, the government made a mistake and this is how you easily print paper currency that looks exactly like original. "
-
This isn’t currency printing, this is “Mac users, set a root password because Apple QA dropped the ball and anyone can log on to your machine as root”
-
The logic stays. Exploiting other people's errors is sometimes punishable.
-
There was no logic to refute. He hasn’t exploited anything - he’s publicly warned people how NOT to be exploited.
- 13 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.