Author Topic: Major Security Flaw in MacOS 10.13 (Read 2218 times)

McJob · November 28, 2017, 05:59:01 PM

You can currently access root without a password in MacOS 13.10. There's a work around:

Go to terminal, enter "sudo passwd -u root" and pop in your new password.

EDIT: Apple have provided another fix for users: https://support.apple.com/en-us/HT204012

Ad Bot · Advertisement

Ipquarx · November 28, 2017, 08:35:02 PM

how the forget does this stuff not get checked and how the forget did it not get discovered until now
i fail to understand

this reminds me of the time a 5 year old kid figured out how to log in to anybody's xbox account by typing a bunch of spaces into the password box

*Trinick · November 28, 2017, 08:59:55 PM

Quote from: Ipquarx on November 28, 2017, 08:35:02 PM

how the forget does this stuff not get checked and how the forget did it not get discovered until now
i fail to understand

By default, the root user on unix systems has no password. Presumably this null value was improperly equated with the value of a null string. It's not exactly something that you'd think to check, either, since any people who are enough of a poweruser to know to look for this kind of stuff are probably enough of a poweruser to set their own root password so they can use it. The only way I could see this kind of thing getting caught is through proper code review or internal entry testing, and stuff gets missed in code reviews and pen tests all the time if it is not a known exploit.

Metario · November 29, 2017, 01:28:00 AM

Quote from: *Trinick on November 28, 2017, 08:59:55 PM

By default, the root user on unix systems has no password. Presumably this null value was improperly equated with the value of a null string. It's not exactly something that you'd think to check, either, since any people who are enough of a poweruser to know to look for this kind of stuff are probably enough of a poweruser to set their own root password so they can use it. The only way I could see this kind of thing getting caught is through proper code review or internal entry testing, and stuff gets missed in code reviews and pen tests all the time if it is not a known exploit.

yes however the root user on nearly all Unix systems has login via tty, etc, login in GENERAL disabled. login is usually only available after you set a password to the acct, iirc

Goth77 · November 29, 2017, 03:01:37 AM

Apple really doesn't give 2 stuffs about security, its all about having a cool looking interface for them. It's just like a while back when you could bypass the lockscreen to get into anyones iPhone.

PhantOS · November 29, 2017, 03:04:42 AM

Quote from: Goth77 on November 29, 2017, 03:01:37 AM

Apple really doesn't give 2 stuffs about security, its all about having a cool looking interface for them. It's just like a while back when you could bypass the lockscreen to get into anyones iPhone.

this post is ironic since windows has had more security issues than mac

Grimlock² · November 29, 2017, 03:04:55 AM

good thing im still on yosemite lol

Zloff · November 29, 2017, 03:59:19 PM

proud to have never owned an apple product in my life

the iphone 4s i turned into a skateboard didn't count. that was just in the wrong place at the right time

Frankie² · November 29, 2017, 04:20:39 PM

Quote from: Goth77 on November 29, 2017, 03:01:37 AM

Apple really doesn't give 2 stuffs about security, its all about having a cool looking interface for them. It's just like a while back when you could bypass the lockscreen to get into anyones iPhone.

You mean like how they fought the fbi on allowing a back door into iPhones? That kind of not caring?

NotBomberguy · November 29, 2017, 05:56:43 PM

get macforgeted maccigarettes

Rockinboy2000 · November 29, 2017, 06:04:13 PM

*hakcer voice* im in

Aide33 · November 29, 2017, 06:09:54 PM

Quote from: Goth77 on November 29, 2017, 03:01:37 AM

Apple really doesn't give 2 stuffs about security, its all about having a cool looking interface for them. It's just like a while back when you could bypass the lockscreen to get into anyones iPhone.

they do give a stuff about security.

iphones are rock solid with encryption tech, they sandbox the stuff out of everything and thats why jailbreaks are so hard to come by these days

Verification · November 29, 2017, 06:41:31 PM

steve and bill were brothers fron another mother but bill preferred to fix it after release while steve made sure there were no imperfections to drag down his perfect automachine or as you call it "conputer"

this would have never happened if steve jobs was alive still. steve very much cared about this kinds stuff and apple is getting less productive now that he's dead.

Conan · November 29, 2017, 06:45:44 PM

despite how incomprehensible/oddly worded the post above me is, hes right about apple losing its touch after jobs passed. its a big company but nothing since his death has really caught headlines in any serious way

shitlord · November 29, 2017, 06:47:00 PM

apple died with steve in my opinion

now its just the same old dumb stuff, throwing stuff at the wall until it sticks and making dumb products and having dumb standards to be "innovative" like "steve was"