Security flaws always exist in most software that can be hacked using some programming language or through scripting. However, there are some security flaws that don’t require hacking at all. You just have to be smart enough to hack it.
Apple recently introduced new MacOS High Sierra at its 2017 Worldwide Developers Conference in June. Last night a software craftsman Lemi Orhan Ergin, founder of Software Craftsmanship Turkey @scturkey, found out a security bug in High Sierra that gives full access of the system to anyone.
To break into MacOS High Sierra operating system security, it is not necessary that you should be a professional hacker. Anyone can login as ‘root’ with empty password after clicking on the login button several times.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
After this tweet going viral, many of High Sierra users tried this security bug at they found the same flaw what Lemi Ergin had tweeted. Succeeding the above post Lemi also shared a screenshot of how this security flaw could be encountered.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
After two hours of this tweet getting viral, the official twitter handle for Apple support (@AppleSupport) replied:
Let's take a closer look at what's happening together. Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there. https://t.co/GDrqU22YpT
— Apple Support (@AppleSupport) November 28, 2017
Three hours later, Lemi Ergin shared a fix that can prevent anyone from accessing your MacOS:
To fix MacOS High Sierra Passwordless Root Account issue, create a password for the "root" account. https://t.co/LqNVwVvxEb
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
By the time the post was getting viral on the internet, twitterati were engaged in debate that Lemi Ergin should have used ethical disclosure system or should have used a bug reporting system and could have rewarded himself with bug bounty.
However, few were by the side of Ergin stating that he was not the one who had risked thousands of computer by tweeting the flaws publicly but it was the Apple who should have been more careful before releasing something that would cause this problem.
Here are some some tweets:
I fully support @Apple suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman".
— Amir Omidi (@aaomidi) November 28, 2017
Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
— coolpup ? (@_coolpup_) November 28, 2017
This bug was gonna be found faster than this dude could write his tweet – it's one of the first test cases anybody would do. Exposing it now only just forces apple to awknowledge it slightly faster than if they were told 5mins later.
— Stuart Pentelow (@ThatguyStu1337) November 28, 2017
Pretty sure @Apple announced the OneClick BlankRoot feature during their macOS High Sierra reveal.
Here is the clip from the WWDC 2017 Keynote: ? pic.twitter.com/y2WSoXI6Hw
— Nick Carr (@ItsReallyNick) November 28, 2017