Users warned Apple about a serious security issue in macOS High Sierra

Jayce WagnerDec 3, 20173 0153 votes -1 rating

A bug bounty wouldn’t have helped Apple spot the macOS root flaw, but Apple should consider a bug bounty or better vulnerability reporting anyway. Earlier this week, Turkish developer Lemi Orhan Ergin tweeted about a serious flaw in macOS High Sierra, that let anyone access your computer by logging in with root and no password. Apple issued a patch the next day.

Responsible disclosure advocates immediately piled on Ergin, calling his tweet “idiotic”, “a little foolish” and “completely irresponsible”. Responsible disclosure is the idea that if you spot a vulnerability, you should alert the company first and give it enough time to bash together a patch before going public.

© Article’s author: Nicole Kobie.
© Source: Wired UK

But Apple has an invite-only bug bounty program for iOSDespite the Twitter abuse, Apple was apparently warned about the flaw before Ergin tweeted it out. In a Medium post, Ergin claimed that the issue was spotted by staff at the company he works for – and they did disclose it to Apple before taking it public. “Wired UK” asked Apple for confirmation of the disclosure, but the company hadn’t responded at the time of publication.

“A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account,” he wrote. “The staff noticed the issue and used the flaw to recover my colleague’s account.”

Ergin explained that his colleagues reported the flaw to Apple on November 23 and noticed that it had been discussed in the Apple Developer Forum as far back as November 13. “It seemed like the issue had been revealed, but Apple had not noticed yet.”

Ergin didn’t tweet about the flaw until five days later, on November 28. Regardless of whether five days is enough to qualify as responsible disclosure, Ergin’s intent in tweeting was well intended. “The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago,” he wrote on Medium. “I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say ‘there is a serious security issue in High Sierra, be aware of it and fix it’.”

Following the public attention, Apple immediately issued advice on a workaround, and had a patch ready the next day. While that’s good news for macOS users, it’s raised the question of whether Apple could do more to encourage security researchers to watch out for issues on the Mac operating system.

Responsible disclosure is encouraged by so-called bug-bounty programs, when companies pay security researchers for reporting such flaws. They’re popular across the tech world and in 2016 alone Google paid out $3 million. Facebook, Tesla, Microsoft and Uber all have similar programs. Even non-tech companies are using them: Bugcrowd’s State of Bug Bounty report revealed enterprise adoption of such programs was up 300 per cent last year.

Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits:

If you’re willing to hunt for flaws within its vast array of software and services, Google’s happy to pay up. Over the course of its 2016 Vulnerability Rewards Program, the company paid out $3 million–a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.

The latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. Last March, Google doubled the bounty for a Chromebook hack from $50,000 to $100,000, after no one managed to pull one off.

Among 2016’s bug bounty exploits:

Google awarded $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on its events site ( Bojarski has been hunts for Google exploits from a small town in Poland for the last three years and he claims to do it for the “sheer enjoyment.” Maybe also for the glory, because he’s killing it on Google’s bug bounty leaderboards.

A “bug chain bonus” of $5,000 and another $7,500 for a jаvascript exploit targeting the Google account recovery page.

A Chrome OS vulnerability involving a one byte DNS library overflow, detailed at the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.

But while Apple has an invite-only bug bounty programme for iOS, it doesn’t pay out for flaws found with macOS. Critics suggest that means researchers are less likely to dig about in macOS code looking for flaws. “Bug bounty programs help further incentivise hackers to spend more time looking for bugs,” says Alex Rice, co-founder and CTO of HackerOne. “Bounties can help attract more attention from a broader audience, meaning you’ll have more people testing the security of your software.”

Keith Hoodlet, Bugcrowd’s trust and security engineer, agrees. “I think (Apple) would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure,” Hoodlet says. “Large companies usually see a lot of savings from having a bug bounty programme, and that’s usually a time-cost savings.”

On the other hand, the high value of Apple flaws may make them a special case – a report by Motherboard last year suggested researchers are much more likely to sell iOS vulnerabilities to the highest bidder as they’re too valuable to hand over to Apple.

Apple is certainly wealthy enough to pay for flaws, so why doesn’t it?

“Apple has had a history of somewhat closed doors when it comes to dealing with or responding to vulnerabilities that have been reported to against their systems,” Hoodlet says. “Historically speaking, Apple does not credit researchers for their findings when it comes to vulnerabilities being fixed, so to that end it may just be a company culture.”

Rice notes that not having a bug bounty doesn’t mean Apple is weak on security, saying such programs are “by no means a silver bullet” for security. “Vulnerabilities are always inevitable and Apple should be applauded for their exceptional security response – the issue was fully resolved in a matter of days,” he adds.

Even without a bug-bounty program, Apple does take flaw reports over email, and Rice says it’s more important to have such a vulnerability disclosure program than it is to pay for reports. “This tells the world, ‘If you know of a vulnerability we’d like you to share it with us so we can fix it,” Rice says. “It’s providing a safe and secure channel for friendly hackers to disclose what they find and ensuring they won’t face a response from a lawyer or law enforcement.”

If you do spot a bug, Apple’s vulnerability disclosure details are here.

Infotolium confirmed this security flaw exists on macOS High Sierra 10.13.0.

Total: 3 comments
Please note! In order to quote the entire comment - click “Quote” without selecting anything. To quote a part of the comment - first select it, then click “Quote”.
  1. lexuss
    2017-12-3, 12:59PM
    Anyone looking to exploit the flaw would in most cases first need physical access to the machine while an Admin is logged in. They would only need access for a few seconds, though, and then could return anytime to log in as an Admin. However, should a vulnerable machine also happen to have screen sharing turned on, it is reportedly remotely vulnerable as well.
  2. Trevory Mogger
    2017-12-3, 12:14PM
    Alarmed security researchers have taken to Twitter to confirm how widespread the bug is. It works both when attempting to access an administrator account on an unlocked Mac and on the login screen of a locked Mac. The issue appears to stem from macOS High Sierra blindly creating a blank root account with no password. Though why it would do that is anyones guess.

    Initial reports claimed the flaw could not be exploited remotely, but at least one security researcher found this isn't the case if certain settings are enabled. The bug will also be an issue in businesses and other organisations that run macOS High Sierra - any user on the network with a limited-access account can use this exploit to login to their system with full administrator privileges.

    The flaw was disclosed by developer Lemi Orhan Ergan on Twitter. It isn't clear if Ergan contacted Apple before going public, though as the company operates an invite-only bug bounty program that seems unlikely.
  3. Jayce Wagner
    Author: Jayce Wagner
    2017-12-3, 11:20AM
    Expect Apple to fix this flaw. Fast. sunglasses

    The issue is present in Apple macOS 10.13.1, so if you're on a Mac now and your system is up to date then you are affected. The exploit hands anyone access to all files and folders and lets them reset and change passwords. If an Apple ID is linked to the Mac, then this can also be removed or altered. It's called system administrator access for a reason, and the flaw pretty much lets anyone do anything.

    Aside from not leaving your Mac lying around, anyone running macOS High Sierra should head to their settings to create an administrator account with a strong password to prevent a blank one from being created. Don't know how? Here's a handy guide. In a statement, Apple said it was working on a solution and advised people to implement the above workaround in the meantime.
Write a review
To add a comment to this publication, you need to register or Log In.
Share a link with your friends:
With “Users warned Apple about a serious security issue in macOS High Sierra” also read
MobileShopping: iPhone X, Pixel 2 or Galaxy S8 - how each phone differs from one another
2 894 1 5
iOS or Android? If you’re shopping for a new smartphone, there’s a good chance three options come to mind: Apple iPhone X, Samsung Galaxy S8, Google Pixel 2.
GadgetsBest cutting-edge products: the 10 most popular Gadgets of 2017
2 931 4
Technology companies like Microsoft, Samsung, Apple are constantly finding new ways to improve their cutting-edge products. There are several big changes in 2017.
FinanceRetail renaissance: Big Shopping Trends in 2018 - the signs are promising
3 012 4 6
2017 was the year of the retail apocalypse. Tech transformation. Retail is a people business. Predictions: pot, politics and Bitcoin. New business models will emerge.
Technology13 Cool Tech Gifts you must have and don’t have to spend a fortune on them
2 937 2 4
We have some real deals for less than $50. If you’re a generous type and have a big family or lot of friends, the holidays can be a financially taxing time.
Even more publications
New articles announcement
In the air: Recent Comments
2018-01-17, 5:53AM
Double loft beds similar the black one available in various mattress sizes made to your choice of headroom, with a choice of sloping or..To get you inspired: 12 awesome ideas where to put a bed in a tiny room
2018-01-17, 5:48AM
Great Collection of space savers! With more and more tiny houses becoming popular, ideas such as these are great examples that could be..To get you inspired: 12 awesome ideas where to put a bed in a tiny room
2018-01-16, 12:04PM
The best of interior decoration I have ever seen, awesome creativity! Cool ideas, but some of these are totally removed from possibility if..To get you inspired: 12 awesome ideas where to put a bed in a tiny room
2018-01-16, 11:07AM
As a college student wrote, this post stood out. I always have the problem of too many things in too little of a space. If this post was..To get you inspired: 12 awesome ideas where to put a bed in a tiny room
2018-01-16, 5:51AM
In-home services, delivery, and consultations will pervade the market. Consumers no longer want to leave the house to buy commodities. So,..Retail renaissance: Big Shopping Trends in 2018 - the signs are promising
2018-01-16, 5:29AM
Healthy and environment-friendly lifestyles will be a focus for many consumers. Consumers will be increasingly mindful of their purchases...Retail renaissance: Big Shopping Trends in 2018 - the signs are promising
Popular Comments
2018-01-7, 1:22PM
Simple solutions: 1. You live off of handouts you can't vote. Let those who pay the bill decide. 2. Welfare because your a single..Welfare reform: 6 million open jobs - the challenge is to get people back to work
2017-12-23, 3:49PM
"It's time for the Jedi, and for Star Wars... to end." The Last Jedi is one giant cinematographic anticlimax. Each..“Star Wars” recovering? “The Last Jedi” has earned around $570m around the world
2017-12-10, 6:09PM
Amazon forked Android and made it into their own proprietary FireOS. They had Amazon Prime video locked up and only available on it for..Even for $30 and out of curiosity I can’t buy Home Mini smart speaker
2017-12-20, 10:03PM
Let's talk about the impact on federal debt. This bill appears to create a $2 trillion deficit over the next ten years. That is about..9 things about historic Tax Reform - Trump’s first big legislative win
2017-12-20, 6:07PM
This is never going to happen. Republicans are NOT going to cut, they will continue to explain that a growing economy will grow them out of..9 things about historic Tax Reform - Trump’s first big legislative win
2017-12-20, 1:05PM
Where to begin. This bill is far from perfect, but Obamacare is probably not a great comparison. The fundamental underpinnings of Obamacare..Final reform: U.S. Senate passed the biggest in history Tax Cut and Reform Bill
Most viewed in the past 24 hours
Most viewed in the month
Popular news topics
5G Apple beds Bitcoin breaking news broadband business business news cryptocurrency device entertainment film finance furniture gadget gadgets Google home furniture home security ideas iPhone iPhone battery latex mattress markets mattress media mobile Motorola movie review older iPhones opinion politics reforms retail security shopping smart speaker smartphone Star Wars stocks T-Mobile tax code tax laws tax reform taxes tech tech news technology The Last Jedi U.S. Senate
» » Users warned Apple about a serious security issue in macOS High Sierra