If you have a Macintosh computer running the latest version of macOS High Sierra (10.13.1), you may already know about a horrible security flaw that allowed anyone with physical or remote access to your machine to log in without a password and gain administrative powers. All they had to do was enter the word "root" as the username on the login screen or preference panel and leave the password blank and then click "enter" twice. That would give them complete access to the Mac along with any personal data stored there, emails, applications, and everything else on the machine. As my Inc.com colleague Thomas Koulopoulos put it, it was akin to building a house with a state-of-the-art security system and leaving the door wide open.
The flaw was discovered by developer Lemi Orhan Ergin, who began tweeting about it on Tuesday. Less than 24 hours later, Apple has provided a patch, and the company told TechCrunch that it would roll the update out to everyone who was affected.
So Mac users who spent Tuesday night standing over their computers (because TechCrunch had warned them not to leave their machines unattended until the bug was fixed) can finally get some rest. That is, if they can calm down enough to relax--most of them seem to be pretty livid. TheNextWeb's Tristan Greene, for instance, questioned whether it's a good idea for businesses to install future Apple updates on their computers.
And then there's this:
I am going to go home and make sure ringing my door bell twice doesn't unlock the door #iamroot-- Johnl2112 (@johnl2112) November 28, 2017
"A logic error existed."
How did Apple--known for its high security and carefully designed products--let this happen? Its patch release notes simply say, "A logic error existed in the validation of credentials. This was addressed with improved credential validation." Beyond that, it isn't offering any more information on how the error came about.
In fact, it may not know. Apple released a statement today to the press apologizing for the flaw. It goes on to say, "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Auditing Apple's development process might be a good idea--or Apple executives could simply read the Wired magazine website, which already seems to have found one major flaw in its development process. The company doesn't issue "bug bounties" for macOS. Bug bounties are payments software companies give to anyone providing information about security vulnerabilities in their products, and they help the companies learn about and fix those vulnerabilities before they become public knowledge. Most software makers offer bug bounties, and Apple does too--but only for its mobile operating system iOS.
As Wired points out, High Sierra has been plagued by security concerns--this is just the most recent and by far the biggest. Maybe it's time Apple started paying those who find vulnerabilities in its Mac operating systems as well. This latest flaw resulted in a sharp drop in Apple's stock price and untold damage to its revered brand. Seems like a bug bounty would have paid for itself, and then some.