When software developer Lemi Orhan Ergin alerted Apple to the fact that he and his team had discovered a massive security flaw that allowed anyone to gain root access to a Mac running macOS High Sierra earlier this week, Apple was quick to respond. Within 24 hours, the company had released a security update that fixed the issue.
But now that the dust has settled and the automatic update is rolling out, some Mac owners are questioning how the bug came to be in the first place, and how long it was active until Apple found out about it and addressed it. But now, thanks to a post on Medium from Ergin, we appear to have the answer to at least one of those questions.
“A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account,” Ergin explains. “The staff noticed the issue and used the flaw to recover my colleague’s account. On Nov 23, the staff members informed Apple about it. They also searched online and saw the issue mentioned in a few places already, even in Apple Developer Forum from Nov 13. It seemed like the issue had been revealed, but Apple had not noticed yet.”
The Apple Developer Forum thread that Ergin mentions in his post is fascinating in its own right. The thread actually started on June 8th, when a user who updated to the WWDC beta of macOS High Sierra was trying to figure out why their admin account turned into a standard account. A few users shared potential solutions, while others chimed in to note that they were experiencing the same or similar problems after updating to High Sierra.
But then, on November 13th, a user by the name of “chethan177” revived the thread with a detailed explanation of a solution that appears to mirror the root login bug, suggesting that the bug had been around for at least two weeks by the time Ergin decided to tweet at Apple to inform the company of the issue.
Once the bug became public knowledge and every tech blog on the internet began covering it, chethan177 returned to the thread to explain why he had decided to post in the thread and how he discovered the bug in the first place:
Didn’t realise this was a full blown security issue. I’d messed my login credentials trying to change my apple id and voila I was no longer an admin.
Then began my extensive search on all Apple related forums for a solution. Tried everything, didn’t work.
As to how I stumbled on this, the answer is simple. Pure frustration. I’d read on one of the forums where in a user suggested we try using “root” for username and leaving the password field empty. I did, it failed. Out of sheer frustration, I tried again, and voila the **** thing unlocked my admin account much to my relief.
Then I posted it here assuming someone stuck just like me might find it useful. It was purely accidental.
Unfortunately, user chethan177 was unable to find the source of the suggestion to try “root” as the username without inputting a password, even after searching back through his history, so we might never know where it came from. But regardless, the fact that this exploit had been active for at least two weeks is fairly troubling.
We’ve reached out to Apple regarding the forum thread, but have yet to receive a response.