The Macintosh Sierra operating system from Apple is vulnerable to a moronic security vulnerability. The user only needs to open a username/password prompt that requires elevation to perform a task and then enter the username ‘root’ and leave the password field blank. Then just click unlock twice, and the user will be granted root access with no password required. This is the most moronic security hole ever. Very funny indeed. and Apple want to replace the desktop PC with tablets. But how are you going to program complex applications on a tablet? Development kits for mobile telephones are available on PC and use an emulator to test the application you are developing. Tablets are not a desktop replacement. Good for watching Youtube and using Twitter though, not that handy for game development. Apparently, the first click of the unlock button creates a new root account with superuser access, then the second logs you in to the new account. Linux has sudo that can allow root access without a password, but this must be configured first, and you can whitelist certain commands that can be run with this, and block all others. That is more secure than a Macintosh machine that is rushed out without proper testing and ends up with embarrassing security holes like this.
I hope this shames Apple into revising all of their practices in regards to security, and more peer-review of all code that is submitted by their programmers. That would be a good way to try and bounce back from this scenario. Not a good look in these times of increased focus on network and physical security. Apple do not have a good reputation in my eyes. I love the UNIX prompt available, and the Darwin operating system that it is based upon, but security practices need review. There was also a time where Apple Macintosh OSX read passwords from the keychain with no authentication… That would allow someone who borrowed your laptop to steal all of your passwords. Are you still going to trust Apple now? I would not.
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017