‘This is really bad’: Snowden blasts Apple’s admin access security flaw
The vulnerability, which involves simply entering ‘root’ in the login and leaving the password blank before twice hitting ‘enter’, means that those who take advantage of it can view files and change the passwords of users on the same machine.
For Snowden, the bug is a reflection of just how easy it is to be hacked, and shows exactly why people must be vigilant about resisting government efforts to weaken protections. “This is really bad, but will be fixed,” the whistleblower wrote on Twitter, before adding a warning about government agencies like the FBI pushing for “‘reasonable’ encryption.”
This is really bad, but will be fixed. Remember this bug next time the FBI & DOJ ask for "reasonable" encryption. This is what that world looks like every day. https://t.co/XK9qQDJubI— Edward Snowden (@Snowden) November 28, 2017
Imagine a locked door, but if you just keep trying the handle, it says "oh well" and lets you in without a key. https://t.co/KBW4qntMdA— Edward Snowden (@Snowden) November 28, 2017
Earlier, Snowden had described the error as being akin to a locked door that lets you in as long as you keep trying the handle. Tech experts believe the flaw leaves computers using the High Sierra operating system open to attacks from malware.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp— Amit Serper (@0xAmit) November 28, 2017
"We always see malware trying to escalate privileges and get root access," Patrick Wardle, a security researcher with US tech firm Synack, told Wired. "This is [the] best, easiest way ever to get root, and Apple has handed it to them on a silver platter."
Apple responded to the revelations Tuesday by confirming that it is working on an update to remedy the problem in its macOS High Sierra, but until then it has published a step-by-step guide to help users protect their machines.
Meanwhile, it has emerged that the vulnerability was shared on one of Apple’s own developer forums following an enquiry by one user who was unable to log in to their computer as an administrator. The tip was posted on November 13.