Closed disclosure does, to a large degree, prevent negative publicity. I don't think it is in dispute that this bug would receive vastly less media coverage if it were only revealed as a bug in outdated/patched versions of the OS.

I don't want to see Apple hurt (I'm an Apple-guy myself, using Macs, iPhone, iPad and Apple Watch), I want to see them improve. I doubt they start will start caring about QA unless they're forced to.

One absurdly serious and stupid password bug like this can be a honest mistake, but three (that we know of, that were full disclosures) in a few months is negligence that should be criminal if it isn't.

A bug like 'can log in with password "root"/""' just isn't going to get you a grace period no matter what security researchers might want.

I mean, this bugs has been reported already - by every cheesy hacking movie ever, by every beginners book on social engineering and so-forth. Heck, it was "reported" by Richard Feynman talking about cracking safes during the Manhattan.

Not the attitude of the people reporting the issue have put "millions of apple customers" at risk, but the company which allowed to let issues like this one slip through their Q&A process.

IMO, this behaviour is part of the problem, the reason why tech companies take security only on a superfiscial level seriously.

Don't kill the Messenger.

And Full disclosure is about protecting users of a software, not letting the vendor off the hook. Here, the hack and the fix are so trivial the responsible thing to do is to publicly call out Apple for its lack of QA and warn users directly. It affects everybody who runs High Sierra.

> it puts millions of Apple customers at risk in the process.

Nah, it's Apple which put millions of customers at risk, not the person who disclosed the vulnerability. let's not shift away the blame from the guilty here.

Apple one of the richest company in the world is obviously just cutting corners in QA here. This is unacceptable.

it's seems some people here are more concerned about negative publicity than user security. This is a pattern that have been seen countless times in big tech corporations(such as Yahoo), not disclosing hacks that put their users and their data at risk. This is unacceptable for a company that claims to be all about their users.

This is such a lame vulnerability that it's probably already known to competent attackers.

It's not a bug; it's a bad design decision. How to initialize the root password on a new machine is a hard problem in a consumer environment. Some people will set it, lose it, and then want support to fix it. One would expect some clever Apple solution, such as initializing the password to random letters and providing the buyer with that info on a scratch-off card. That way, the buyer can be sure no one has seen the password before they use the scratch-off card.

Setting it to null? That means nobody thought about the problem.

> Encouraging irresponsible disclosure because one wants to see Apple hurt is a reckless and selfish attitude because it puts millions of Apple customers at risk in the process.

Apple put millions of their customers at risk by skimping on QA. As an Apple user I'm OK with this getting out if it motivates Apple to improve their approach in the future.

There is nothing irresponsible about disclosing huge vulnerabilities in software by any means necessary.

Edit: as usual, downvotes but no response. I miss when this place was decent.

The fact that you as the ordinary student can become root and create a lot of damage so easily is the only reason the public will care.

Us geeks have been complaining about the horrible QA in macOS for years, yet nothing has been done. The fact that this is so simple to do will probably/hopefully get ordinary people to start talking about it too ("Hey, have you heard that you can hack Macs without a password? Very insecure"), which would force Apple to improve.

Maybe it's crazy that we give people physical access to machines and expect them not to be able to obtain root.

I don't have any experience with enterprise-grade IT, but it seems like shared computers should be thin clients or at least use UEFI to securely boot an image over the network and not keep anything sensitive locally.

If you give someone physical access to a box, they will be able to own it.

> On the other hand, I, a university student with next to no understanding of computer security, can simply walk onto campus, sit down at a Mac, and within seconds have complete access to the computer.

its educational for the end user. You cannot trust Apple. Good reminder there are other OS available out there.

My understanding is that the first attempt is creating/enabling the root account with a blank password and that the subsequent login is actually utilizing it (which is kind of bizarre and probably why this was missed in testing).

Thanks, added!

> Is there something you don't like about them?

You mean, in addition to bad QA and complete disregard for their users' security? And being the richest and most profitable company ever, cutting corners and evading taxes?

Their response on Twitter was amazing: "PM us so we can discuss this privately", not "thank you, we're looking into it NOW".

I don’t see it as either/or. You can disclose responsibly, and go for publicity once the fix is in circulation. Responsible disclosure is nothing to do with protecting Apple, it’s about protecting the users.

The problem is that this is not a zero day in new technology. They made a jr sysadmin mistake. As a company who wants a reputation for good security, that is not acceptable.

Far too many people think of Apple as infallible. I often think even Apple thinks of themselves as infallible. The more people that are aware of the inherent risk involved with using computers - any computer - the better.

There's no reason why the person who discovered the bug would be safer publishing the vulnerability on Twitter than disclosing it to Apple directly. If nothing else, they could always post it on Twitter later. The link to the DMCA is a digression.

How does him being from Turkey matter in this case?

If you leave keys in other people's doors all over the neighbourhood, I damn well have a rigtht, and possibly an obligation, to make it publicly known that such a thing is taking place. So that everyone may take their own precautions.

A better analogy would be "if the lending bank left the door to your new house open..."

Other than buy an Apple product, the users did nothing intentional to undermine security.

Since this is a subjective argument, based more on historical instances of "responsible disclosure" and not law, I'm gonna lean in this case of it being Apple that failed

They built the entire "walled garden" without getting outside help. They want the control, they have billions of dollars, can hire whatever talent...

Failed to spot a password-less root login issue.

People need to know today to be even more cautious about using Apple gear in public places or around plain ol' tech jerks that like to fuck with people for a gag.

Society has no legal or moral obligation to make sure Apple stays in business.

The problem with that analogy is that the probability that the "bad guys" already know about this vulnerability is vastly higher than the probability that thieves know about how well some random house in the neighborhood is secured.

You may say so, but really the level of incompetence of not setting a password for a root account is pretty high. The fact that someone reported it in a way you don't agree with shouldn't distract you from the fact that this highlights a serious oversight.

The main question that should be asked is, how did this get overlooked? How is it that your average website has better password security than the OS of one of the richest tech companies in the world?

To be fair to Apple, Microsoft had similar issues back in the 1990s. Perhaps it takes a string of security blunders for some tech companies to take security seriously.

If you sell locks and those locks can be opened by pulling on them twice, the reasonnable course of action is to make that fact known to every buyer ASAP, not tell you privately and wait for you to maybe issue a recall.

Wrong. This is Apple -- not the homeowners -- leaving everyone's key in everyone's door without them knowing.

This situation seems more like a lock manufacturer selling millions of locks that can be opened with a toothpick.

I'd lay responsibility at the lockmaker's door, not the guy who told everybody they were at the mercy of anyone with a toothpick.

>If you leave your key in your front door lock and I blast out on twitter your address and tell people about it, I think I have some responsibility.

That's not a faithful analogy. Apple isn't your neighbour. They are the landlord. The scenario is more like that the landlord uses bogus locks in your complex, and you post it on twitter. You could complain to them privately too, but given your past experiences perhaps, you thought that twitter would be a more effective medium.

This is different though: the bug is so bad that random, inexpert users can discover it by accident. People that are not going to even be familiar with the term "responsible disclosure" at all. This may have been the case for the guy who tweeted this.

There is no realistic way to keep a lid on something like that and so in this case the blame is entirely on Apple.

Your analogy makes no sense. He's just as vulnerable as you are.

This very excellent comment lies "dead", so I'll repost it:

asejfwe8823 24 minutes ago [dead] [-]

A better analogy would be "if the lending bank left the door to your new house open..." Other than buy an Apple product, the users did nothing intentional to undermine security. Since this is a subjective argument, based more on historical instances of "responsible disclosure" and not law, I'm gonna lean in this case of it being Apple that failed They built the entire "walled garden" without getting outside help. They want the control, they have billions of dollars, can hire whatever talent... Failed to spot a password-less root login issue. People need to know today to be even more cautious about using Apple gear in public places or around plain ol' tech jerks that like to fuck with people for a gag. Society has no legal or moral obligation to make sure Apple stays in business.

"Invite only", "provides a full report and a proof of concept that is accepted by Apple engineers"

In a case like this, I think it would be best to maximize the bad publicity. Bad publicity is the minimum Apple deserves for a bug like this. In my idea world they'd get a lot of bad publicity, and a significant financial penalty.

It's as remotely acceptable as "root" with no password, apparently.

The question is large and complicated, and people can agree to disagree. There's nothing wrong with tweeting vulns: The company is at fault, we can defend ourselves now that we know about the vuln, and it's a big PR disaster for Apple.

A past conversation: https://news.ycombinator.com/item?id=14009937

No, no it's not strictly more ethical. It's not even strictly safer, which should be an even easier question to answer. The baked-in assumption in your logic is that users have no options other than waiting to patch. But, obviously, they do, and keeping vulnerabilities secret deprives them of those options.

But everyone can fix this problem by setting a root password. So telling everyone is the right call. Otherwise people would be sitting vulnerable while Apple comes up with a patch.

Google Project Zero does not support full public disclosure immediately- quite the opposite. They support full public disclosure after giving the vendor an opportunity to ship a fix to their customers in a reasonable period of time. Nobody's debating whether or not security flaws should be publicly disclosed- of course they should. The only debate is, what is the most responsible way to handle such a security issue such that it harms the fewest users.

Project Zero (and infosec professionals, at least all of the ones I've ever worked with) would tell you that this was the most irresponsible way to handle the issue, short of not saying anything and selling knowledge of the exploit to someone other than the vendor who could fix it. Publicizing something like this in this way is something people do because they want publicity for themselves. It is not something someone does if their biggest concern is for the users who might be affected by it. It is something someone would do if they didn't care about the users, and just wanted public credit for pointing it out.

Project Zero does full disclosure 90 days after informing the relevant organization. Full disclosure comes after there has been a chance to fix the problem. Otherwise everyone is put at risk until a fix is available.

Which respected professionals ? This is completely false.

I qualified it with "reliably". Major bugs reported by you, a security researcher, may be bucketed differently than those deemed less serious or filed by others. As a recent example, a minor bug like the iOS 11 calculator ignoring keypresses had reports filed since Beta 1, but only after it made headlines and caused Apple public embarrassment will it be addressed in the upcoming 11.2, six months later.

Sorry. 45 days is not quick.

This happens quite often. Report a bug to Apple through CERT as an example and they run with a well known 45 day disclosure timeline. For researchers who don't want to get into vendor conflicts this is a good path because CERT ultimately holds the decision.

iRoot. uRoot. Everybody Root.

My current favorite is I am Root.

AppleGate

i0wned

Unfortunately it's still more common than you think.

The other day I actually ran across some AWS docs which suggest you send your AWS root key id in the url of http requests:

http://docs.aws.amazon.com/AlexaWebInfoService/latest/index....

Create a root password.

I guess you’re seriously concerned now ;)

Ouch. This guy's going to kick himself pretty hard. The 15 minutes of infamy seems like a pretty bad tradeoff.

For a local root with physical access? Not a chance. Maybe low 4 figures.

If it harms the company then they will take it more seriously and it will protect users more in future. If it doesn't harm the company then they have no incentive to change.

In almost all cases immediate disclosure is better for end users who actually care about their security because they can take appropriate mitigation measures.

Just because the vulnerability is not disclosed does not mean it is not being actively exploited. It probably is.

Users who don't care about their security do not deserve to be "protected" at the expense of compromising the security of those who do care who benefit from immediate disclosure.

> you've made it possible for anyone to go to the fire, light a torch with it

And at the same time provided everyone with a simple, free, and perfect way to fireproof his/her house.

You could wait for the fire department, which may take hours to get there, and hope that no malicious party down the street saw the fire, or you can do this. It turns out that both are quite reasonable reactions in this scenario, and that the latter is much more obvious to the layman.

There is no good reason to get angry at the layman for taking a course you don't prefer.

You are comparing an arsonist to a fire department.

...or if you enabled root for some reason, but didn't set a password.

I don't think they meant using this vulnerability to enable a root remote connection, but using an existing non-root remote connection (think TeamViewer, VNC, whatever) and escalating.

Yeah, but...

It seems to me (somebody who has no chops in this domain) that this is such a basic bug. Like something a child would have found just messing around.

And it came from a corporation that has around $200B of cash and cash equivalents. Apple has the resources to test and find bugs like this.

That Apple didn't find it is down to leadership and priorities more than some inherent limits of producing reliable code. One spends on what one thinks important.

But who knows, I've got no domain expertise here. Maybe a fifth of a trillion dollars C&CE really isn't enough to fund production of more robust code. But really?

After the developers there is a line of QA as well, but part of the problem is having the organisational structures for developers to discover issues like this. Regular audits, security as a priority and non-recrimination policies would be a good start. In many companies if you bring up problems like this then your "not a team player", in others you could point out issues like this all day long but they will never be acted upon because the budget isn't there for various reasons.