What’s worse than having a dead-simple password that anyone can guess? No password. To go with it, let’s add a username that anyone can enter. That’s exactly what happened to Apple this week: Anyone could log in to your Mac with the username “root” and a blank password.
Oh, and as long as you were on the same network, you could even break into Macs remotely — physical access was not required. Surely this was only for Macs that were running some ancient version of OS X, right? Nope, the vulnerability affected the latest version of macOS: High Sierra (10.13.1).
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Can you imagine if Windows 10 had such a vulnerability?
To Apple’s credit, the vulnerability went viral on Tuesday, and was fixed on Wednesday:
Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
This fix broke file sharing for some users, but never mind that. This is not the type of fix you spend weeks testing.
Speaking of testing, it’s astounding that such a flaw made it through to production machines in the first place. This is the type of mistake you expect a fledgling startup without a security team to make, not the world’s most valuable company, one that regularly proclaims it takes user privacy and security more seriously than anyone else. That this affected only those Mac users who diligently kept their computers up-to-date only adds insult to injury.
Apple’s approach to security can be summed up in two points. First, the company strongly believes its software is more secure than the competition. No surprise there — most tech firms believe their solution is the best. As always, Apple takes this to a whole other level, but macOS and iOS are competitive in terms of security, so no need change anything here.
Secondly, and this causes problems with the first point, the company does not have a good relationship with the security community. For example, while most tech companies have multiple robust bug bounty programs, Apple only launched its first one in 2016, made it invite-only, and it’s unsurprisingly not going so well. Keeping the security community at arm’s length is where everything breaks down.
There is some evidence that Apple is making progress, at least in how it handles security snafus. A few years ago, the company would have fixed this flaw and moved on quietly. In 2017, Apple at least apologizes.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” Apple said in a statement. “We greatly regret this error and we apologize to all Mac users.”
Still, this week’s vulnerability is a massive embarrassment. It is the perfect reminder that despite all the advantages Apple has in terms of product and service security, it is still horribly mismanaged. Apple will undoubtedly investigate how this vulnerability got through in the first place, as it should, but the work can’t end there. This root vulnerability was flagged on Apple’s developer forum weeks ago.
Apple needs to put its pride aside and ask for help.