In the annals of bad bugs for 2017, Apple's High Sierra fiasco could be No. 1. How does one of the world's most well-resourced software developers miss a glaring problem that was actually disclosed in one of its own forums?
Apple has long prided itself on the security of its products, even though security experts who look under the hood find it generally even with Microsoft at managing hundreds of millions of lines of operating system code.
The back story behind the discovery of the bug begs a question of how closely Apple monitors chatter in its forums.
In its High Sierra operating system, Apple forgot to disable by default the root account, which is the most powerful one on the computer with access to all files, passwords and settings. By typing a username of "root" and clicking twice, the almighty account was launched, a feat that in certain scenarios could be done remotely (see Apple Rushes to Fix MacOS High Sierra 'All Access' Bug).
"I keep telling people that Apple security is totally overrated for years yet anytime these laughable flaws happen the internet acts all surprised," writes Stefan Esser, a well-known researcher who has been critical of Apple's response to security issues, in a tweet.
The uproar over the vulnerability, for which Apple released a patch on Wednesday, elicited an uncharacteristically contrite statement from the company, which was shared with Reuters.
"We greatly regret this error and we apologize to all Mac users, both for releasing this vulnerability and for the concern it has caused," the company says. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
For some, it was an opportunity to take a humorous shot at Apple.
"People are telling me that you can login as root on macOS High Sierra if you try three times with a blank password," writes @zemnmez on Twitter. "Well tell me what kind of attacker has the tenacity to try three times? Nobody. It's a perfect balance between usability and security."
Root Accounts Downgraded
The back story behind the discovery of the bug begs a question of how closely Apple monitors chatter in its forums, where users banter about technical problems and trade tips. The discussion thread where the High Sierra bug was revealed is telling.
In June, "Taylor E." posted about a glitch in a High Sierra beta that caused root accounts to be downgraded to standard accounts. Another user, "DJMasters," wrote that the problem didn't allow for the installation of XCode, which is Apple's software development toolkit.
The problem persisted for others until Chethan Kamath, writing under the username chethan177, casually posted precise instructions about how to work around it on Nov. 13.
Kamath didn't cast the behavior as a bug, but 15 days later, another user realized the gravity of Kamath's post.
"Oh my god that should not work but it does," writes "CoyoteDen." "This is really, really bad. Some bug in authentication is enabling root with no password the first time it fails!"
Just the Messenger
The same day, it hit Twitter. An Agile software developer, Lemi Orhan Ergin, described the problem, copying Apple's Twitter handle.
Ergin was subsequently skewered for purportedly disclosing such a serious vulnerability on Twitter. But Wednesday, Ergin wrote a post on Medium saying that staff at the infrastructure company he works for came across the bug around Nov. 23 and "used the flaw to recover my colleague's account."
Staff at his company reported the issue to Apple, he claims. The flaw had been already been mentioned in a few places online, he writes, including Apple's Developer Forum. Then he took to Twitter, saying he wanted to ensure Apple was aware.
"I have no intention to harm Apple and Apple users," Ergin writes. "Simply saying, I am not the one who discovered the security bug, but the one who make [sic] it more visible in public by mentioning it via Twitter."
Ergin's public disclosure obviously lit a fire under Apple, which issued the patch just a day later. But it begs the question: If - as Ergin writes - Apple knew of the bug around Nov. 23, why did it wait so long to fix it?
After the bug's disclosure drew a flood of attention, Kamath posted again on Apple's forums. Users were curious how he found the bug.
"As to how I stumbled on this, the answer is simple," Kamath writes. "Pure frustration. I'd read on one of the forums where in a user suggested we try using 'root' for username and leaving the password field empty. I did, it failed. Out of sheer frustration, I tried again, and voila the **** thing unlocked my admin account much to my relief. Then I posted it here assuming someone stuck just like me might find it useful. It was purely accidental."
Someone asked Kamath if he could go back through his browsing history to find out which forum had described the method. Unfortunately, he writes, he was "unable to trace it."
Reinstall High Sierra?
The question of who knew about the bug and when is crucially important.
If attackers have known about the bug for some time, it's possible that some Macs running High Sierra could have been surreptitiously infected with malware or a keylogger. Such infections - or even other modifications aimed at a malicious end - could be difficult to detect now.
"Every High Sierra system which hasn't had root password set from very first moment after installing the OS should be treated as compromised," writes a user going by the nickname "nzhuk" in the discussion thread. The user recommended that users reinstall High Sierra to ensure no backdoors have been placed on a system.
Apple's patch notice didn't impart that extreme advice. As with many security issues, paranoia will guide how much trouble to take to ensure a system's integrity. The confidence around Apple's security, however, may take more time than a system refresh to be restored.