Twitter | Search | |
Lemi Orhan Ergin
Dear , we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it ?
Reply Retweet Like More
Lemi Orhan Ergin 28 Nov 17
Replying to @AppleSupport @Apple
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable!
Reply Retweet Like
Michael Linde 28 Nov 17
Um, not on High Sierra machines at my work - are you sure that isn’t someone’s management setup (as bad as that is)?
Reply Retweet Like
The Register 28 Nov 17
Replying to @mlinde @lemiorhan and 3 others
It works for us. This is not gr8.
Reply Retweet Like
Stefan Pynappels 28 Nov 17
Confirmed on version 10.13.1 on 15 inch MacBook Pro Retina. "It just works!" takes on a whole new meaning
Reply Retweet Like
patrick wardle 28 Nov 17
🤣🍎👾💀☠️
Reply Retweet Like
Nick Carr 28 Nov 17
Pretty sure announced the OneClick BlankRoot feature during their macOS High Sierra reveal. Here is the clip from the WWDC 2017 Keynote: 🤣
Reply Retweet Like
Seth Goggans 28 Nov 17
Here, I found the sound that goes with that clip.
Reply Retweet Like
Nick Carr 28 Nov 17
Ah, nice! I accidentally dropped audio when transcoding. Thx
Reply Retweet Like
Amir Omidi 28 Nov 17
I fully support suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman".
Reply Retweet Like
coolpup 💾 28 Nov 17
Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
Reply Retweet Like
Amir Omidi 28 Nov 17
No, there are ethical disclosure systems. This puts millions of computers at risk. You don't expose zero days like this. Apple will probably not sue them, but I would be fully supportive of it if they do so.
Reply Retweet Like
Kevin Evans 28 Nov 17
Apple can’t sue him for tweeting them about *their* mistake. He hasn’t put anyone at risk, Apple did. They need to fix it, but they also need to test better.
Reply Retweet Like
Martenson 28 Nov 17
"Hey, the government made a mistake and this is how you easily print paper currency that looks exactly like original. "
Reply Retweet Like
Kevin Evans 28 Nov 17
This isn’t currency printing, this is “Mac users, set a root password because Apple QA dropped the ball and anyone can log on to your machine as root”
Reply Retweet Like
Martenson 28 Nov 17
The logic stays. Exploiting other people's errors is sometimes punishable.
Reply Retweet Like
Kevin Evans 28 Nov 17
There was no logic to refute. He hasn’t exploited anything - he’s publicly warned people how NOT to be exploited.
Reply Retweet Like
Zac Hall 28 Nov 17
Replying to @EdHans @lemiorhan and 2 others
yep, unfortunate, setting a root user password is a workaround, we’re posting a guide shortly
Reply Retweet Like
Zac Hall 28 Nov 17
Replying to @EdHans @lemiorhan and 2 others
here’s our solution:
Reply Retweet Like