| Off Topic > Off Topic |
| Major Security Flaw in MacOS 10.13 |
| (1/6) > >> |
| McJob:
You can currently access root without a password in MacOS 13.10. There's a work around: Go to terminal, enter "sudo passwd -u root" and pop in your new password. EDIT: Apple have provided another fix for users: https://support.apple.com/en-us/HT204012 |
| Ipquarx:
how the forget does this stuff not get checked and how the forget did it not get discovered until now i fail to understand this reminds me of the time a 5 year old kid figured out how to log in to anybody's xbox account by typing a bunch of spaces into the password box |
| *Trinick:
--- Quote from: Ipquarx on November 28, 2017, 08:35:02 PM ---how the forget does this stuff not get checked and how the forget did it not get discovered until now i fail to understand --- End quote --- By default, the root user on unix systems has no password. Presumably this null value was improperly equated with the value of a null string. It's not exactly something that you'd think to check, either, since any people who are enough of a poweruser to know to look for this kind of stuff are probably enough of a poweruser to set their own root password so they can use it. The only way I could see this kind of thing getting caught is through proper code review or internal entry testing, and stuff gets missed in code reviews and pen tests all the time if it is not a known exploit. |
| Metario:
--- Quote from: *Trinick on November 28, 2017, 08:59:55 PM ---By default, the root user on unix systems has no password. Presumably this null value was improperly equated with the value of a null string. It's not exactly something that you'd think to check, either, since any people who are enough of a poweruser to know to look for this kind of stuff are probably enough of a poweruser to set their own root password so they can use it. The only way I could see this kind of thing getting caught is through proper code review or internal entry testing, and stuff gets missed in code reviews and pen tests all the time if it is not a known exploit. --- End quote --- yes however the root user on nearly all Unix systems has login via tty, etc, login in GENERAL disabled. login is usually only available after you set a password to the acct, iirc |
| Goth77:
Apple really doesn't give 2 stuffs about security, its all about having a cool looking interface for them. It's just like a while back when you could bypass the lockscreen to get into anyones iPhone. |
| Navigation |
| Message Index |
| Next page |