The Story Behind “anyone can login as root” Tweet
After my tweet about the security issue of MacOS High Sierra on Nov 28, I got many reactions like a blast. I think I need to express myself further about the story of how we noticed the issue and my intention behind the tweet I posted yesterday that went viral.
Let me give you a brief intro about myself first. I am a software craftsman. It means my main interest is developing well crafted software and coaching development teams to make them better. While I am leading teams in my daily work, I also guide Turkish Software Craftsmanship community to raise the bar of professional software development in the sector. I am neither a hacker, nor a security specialist. I solely focus on secure coding practices while programming, but I can never call myself a security specialist.
A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account. The staff noticed the issue and used the flaw to recover my colleague’s account. On Nov 23, the staff members informed Apple about it. They also searched online and saw the issue mentioned in a few places already, even in Apple Developer Forum from Nov 13. It seemed like the issue had been revealed, but Apple had not noticed yet.
Yesterday the infrastructure staff informed me that they had to set-up a root password on my Mac so that it won’t have the issue. I saw the issue with my own eyes and thought that it was unbelievable!
Then I decided to inform Apple via Twitter. The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago. I thought I had to ask Apple “are you aware of it?”.
I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say “there is a serious security issue in High Sierra, be aware of it and fix it.”
Simply saying, I am not the one who discovered the security bug, but the one who make it more visible in public by mentioning it via Twitter.