back to article Stop us if you've heard this one: Apple's password protection in macOS can be thwarted

It just works. For anyone. An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system's password protections. This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug …

  1. Bob Dole (tm)
    Headmaster

    meaning the trick would only be useful if the owner of the account had stepped away from their machine

    Isn't that the entire purpose of the dialog? To prevent people from making changes when you've stepped away? Otherwise, why bother even showing the dialog?

    1. Anonymous Coward
      Anonymous Coward

      Yeah any "bug" for a user logging in with admin privileges and then leaving their computer without locking it first allowing access to their stuff is NOT a bug, IMHO.

      Either the description in the article is wrong or whoever is complaining about it is nuts.

      1. DJO Silver badge

        NOT a bug, IMHO.

        Maybe but it is indicative of very lax testing. I have done software testing and we check every dialogue every button, every menu, every bloody thing and then somebody else rechecks in the regression testing phase.

        For something as dumb as this to get into the released version suggests their testing is limited to gross functional tests and then releasing it to beta testers who unless you get some really anally retentive types are not going to spend hours systematically pressing buttons.

        1. John H Woods Silver badge

          Re: "we check every dialogue and button"

          only half joking

        2. Anonymous Coward
          Anonymous Coward

          What I meant was it was not a security bug. Obviously asking for a password and accepting anything is broken, but if it only happens when you are logged in as admin it doesn't allow anyone access to something they wouldn't have anyway if you leave yourself logged in and unlocked.

          It sounds very much like their previous bug where the password prompt accepting anything. Makes me wonder if it had the same buggy code with '=' instead of '==' copy/pasted from the same place. If so, hope they do a search this time in case there's more.

      2. Richard 12 Silver badge

        So how does one lock a Mac when stepping away?

        Genuine question.

        There's no GUI element for it, so if it is possible there must be some secret keyboard salute known only to the True Faithful.

        1. gnasher729 Silver badge

          Re: So how does one lock a Mac when stepping away?

          Command-control-q.

        2. steamrunner

          Re: So how does one lock a Mac when stepping away?

          "So how does one lock a Mac when stepping away? [...] There's no GUI element for it, so if it is possible there must be some secret keyboard salute known only to the True Faithful."

          Yes there is. Top right of screen, select the little menu-bar drop down with your user name (I'm not sure of it's official name) and select "Login Window". You're bounced out to the login screen.

        3. Stumpy

          Re: So how does one lock a Mac when stepping away?

          Genuine question.

          There's no GUI element for it, so if it is possible there must be some secret keyboard salute known only to the True Faithful.

          ... or you can use hot corners - I have mine set up so I just park the mouse pointer in the lower right hand corner for a couple of seconds

          1. GruntyMcPugh Silver badge

            Hot corners,....

            .... thanks, I'm not a regular Mac user but had to use one to manage iPads with Apple configurator in one role a while back,.... given I was logged in with admin privs, access to iTunes, and the Apple VPP on the Mac Mini, I wanted a quick way to lock the thing, and Hot corners was what I used in the end,... it had slipped my memory, thanks.

          2. Vince

            Re: So how does one lock a Mac when stepping away?

            Yep you and me both - I setup a hot corner - and I have added lock screen to the not so good touch bar - but as I generally avoid using it, I never actually use that method.

        4. JaimieV

          Re: So how does one lock a Mac when stepping away?

          In addition to the above useful things, if you have lock-on-screensaver enabled then control-shift-eject or control-shift-power will take you straight to screen sleep, depending on keyboard.

          Possibly gone in High Sierra, but If you launch the Keychain Access app you can go to its prefs and add a lock icon to the menubar.

          1. Wensleydale Cheese

            Re: So how does one lock a Mac when stepping away?

            "Possibly gone in High Sierra, but If you launch the Keychain Access app you can go to its prefs and add a lock icon to the menubar."

            Definitely gone in High Sierra.

            I'd been using it and its absence was one of the first things I noticed after the upgrade from plain Sierra.

            1. pwl

              Re: So how does one lock a Mac when stepping away?

              gone in high sierra? oh ffs!

              1. pwl

                Re: So how does one lock a Mac when stepping away?

                ... turns out lock screen is under the apple menu now

        5. This post has been deleted by its author

      3. Lee D Silver badge

        It is a bug.

        It just might not be a security-critical one.

        There's no point having a dialog asking for a password that literally doesn't care what password you put in, whoever you are. Either the dialog shouldn't be appearing, or it should be refusing bad passwords.

        This is not "a problem" in this particular context. But it's incredibly telling of the laxity of testing and the code-paths in the secure sections of code that Apple uses - not unlike the bug a few months ago that allowed anyone to get admin by.... doing exactly this... typing in any nonsense twice into a password dialog would let them log in.

        What's wrong here is the process... quite what is popping up that password prompt and why does it accept the wrong password WITHOUT showing an error at all? And how many other places / weird combinations allow the same. If this was the only bug, sure, you could chalk it up to some form of coding accident. But this is only another in a worrying trend of "You must authenticate" "Gah, just have admin rights anyway" issues that MacOS has had.

        Think not about what the bug is, but what it represents. Somewhere there's a piece of code that literally says "Even if that password fails, carry on regardless, using the admin rights, and don't tell the user". That's not a situation that you want to propogate throughout your OS code.

        1. JimboSmith Silver badge

          Working with one piece of rather specialised software years ago I noticed something odd. It was possible to get to what appeared to be a hidden config screen/parameters pages. To do so you had to go through a particular combination of screens in a particular order which was perfectly possible in normal use. The new "CMenu*" option then appeared at the bottom of one of the drop down menus in place of the normal "Developer Login*" option.

          I queried this with the company and the woman on the other end was horrified. She told me not to touch any of the settings as it might very well screw things up as I hadn't got there through the correct procedure. The correct way to do it was through the "Developer Login*" and that was password protected etc. (*Can't remember the exact names) I was convinced that there was a setting in there to change number of days of the rolling license but I couldn't afford to bugger anything up. It was fixed in the new version that we received on CD-Rom in the post a week or so later.

      4. Naselus

        "NOT a bug, IMHO."

        Don't be daft.

        The password prompt accepts any input. That's blatantly a bug. The fact that one needs to be logged in as an admin to exhibit the behaviour means it's not an attack vector, but doesn't mean that it isn't also an absurdly sloppy bug.

      5. Indolent Wretch

        They've put a password dialog in specifically to gate access to a sensitive area and for an admin user it doesn't work as intended.

        You could argue the dialog shouldn't be there but it is there and it's bugged.

      6. Grease Monkey Silver badge

        @DougS

        "Not a bug IMHO"

        So if it's not a bug it must be be there by design. Those are the only two possibilities. So you'really suggesting Apple created this feature deliberately?

        You must have an even lower opinion of Apple than I do.

        Or maybe you are so IT illeterate that you don't actually know what the word bug means.

  2. sanmigueelbeer
    Happy

    `tis a feature

    This is not a bug but an "undocumented feature".

    1. monty75

      Re: `tis a feature

      "You're clicking the button wrong"

  3. elDog

    So why pretend to have a security layer in this case if you don't?

    IDGAS about this issue but it's sort of like the case where you have a fake deadbolt above the normal locking door handle. Why bother?

    Security through deception?

    1. Sandtitz Silver badge
      Happy

      Re: So why pretend to have a security layer in this case if you don't?

      "Security through deception?"

      Fake security cameras. They usually have a battery powered led and are hard to tell from the real ones unless you're handling them (plastic and lightweight). I'm sure they have some effect on graffiti artists, vandals and thieves when prominently placed. Better than nothing I'm sure.

  4. Cynicalmark

    Ever since SJ went, in my opinion the quality and feel of Apple went further south. This and prior ‘features’ of last year just show how Corporate micromanaging is wrecking Apple.

    I am sure we have all been there -you have a reasonable deadline and some asshole in a tie with a sociology degree decides your deadline is moved forward a week because they made a yes man promise to the big guy, so he can impress the investors. So a week less testing and voila! You miss something. This gets spotted and the asshole comes back saying you should worship him as he saved your ass because it’s all your fault so fix it quick - you have a day and then pestering begins each hour like a kid in the backseat of a car.....are we there yet?

    Rinse &repeat

    1. agatum

      Ever since SJ went, in my opinion the quality and feel of Apple went further south.

      Agree completely. That guy is absolutely the only corporate exec I will ever truly miss.

    2. Dan 55 Silver badge

      There is also:

      - No dedicated OS X manager, after Snow Leopard the OS X manager left and both OS X and iOS were managed by the same manager.

      - No dedicated team, they are shared between OS X and iOS. iOS has more time and priority.

      - QA seems particularly bad and analysis of patches shows there are errors which should have been caught by automated test tools, meaning they don't seem to have them.

      - Beancounters throwing out stuff which made an ecosystem for their computers (e.g. XServe, Mac Mini server, routers).

      - Hardware designers have decided they have to use glue with everything and make it non-upgradable, probably again due to iDevice-isation.

      - Basically Macs are starved of resources. Hardware refreshes are few and far between and unimpressive, no ideas for OS X apart from iOS-ing it.

      1. Richard 12 Silver badge

        My assumption is that macOS won't exist in five years time.

        It doesn't make Apple much money directly, they'd much prefer it if it didn't exist and only iOS did.

        When they officially let iOS apps be developed under Windows, BSD or Linux, that's the end.

      2. sabroni Silver badge
        Facepalm

        re: Basically Macs are starved of resources.

        And yet Apple are sat on the biggest cash pile ever......

        1. EddieD

          Re: re: Basically Macs are starved of resources.

          Hasn't that mostly come since the launch of the iPhone and, more importantly, the App Store, and Apple's 30%?

  5. iDad-D

    What? Again? Really?

    I remember that I changed to Mac because every time I opened my PC there was a Windows Patch update daily AGAIN.

    Can the Author or any reader (who can read), name a single technological/digital item that is 100% unlockable when it’s unlocked?

    Q/. If I don’t lock a banana in my desk drawer when I walk away and I come back to find the banana has been hacked & is not there, is it...

    (A). Because someone opened my drawer and removed it, when I should have locked the drawer.

    (B). Because I needed a coffee

    (C). Because I should have put it in a ‘Window(s) Box’ instead (see what I did there? Huh? Oh my Mum would have been so proud.

    Anyway, I trust the Windows Surface carrying Nerd with a Tshirt of an Android robot peeing on an Apple (I always wondered who bought those), understands that my Mac is still more secure than his open source because I didn’t install Windows!

    Can anyone tell if he wound me up? Huh? Huh? Signing off now, need to get locks for my Windows, since they can be opened from the inside after I open the door to get in!

    PS: Your socks don’t even match and you live with your Mum.

    Done this time and feeling much better now.

    1. Spacedinvader
      Trollface

      Re: What? Again? Really?

      No, it's because, as you stated, you didn't lock a banana in the drawer. Why on earth would you expect one to be there when you got back?

    2. Simon Harris

      Re: What? Again? Really?

      If I'm feeling generous I might put the skin back in the drawer.

    3. Anonymous Coward
      Anonymous Coward

      Welcome to El Reg

      Where only the fools say anything positive about Apple and negative about Microsoft in the same post.

      You are more than welcome to the downvotes that your post gets as well as this one.

      That's life around here I suppose.

      Oh, and your handle does not help.

    4. Simon Harris

      Re: What? Again? Really?

      "need to get locks for my Windows, since they can be opened from the inside after I open the door to get in!"

      If your user name implies you have one or more progeny, inside locks on the windows might be a sensible idea if you don't want your children opening them and climbing out.

    5. David Nash Silver badge

      Re: What? Again? Really?

      What are you talking about?

      Clearly it's a bug because a password is requested and then ignored.

      "Can the Author or any reader (who can read), name a single technological/digital item that is 100% unlockable when it’s unlocked?"

      What does that even mean?

  6. iDad-D

    No! Really?

    I remember that I changed to Mac because every time I opened my PC there was a Windows Patch update daily AGAIN.

    Can the Author or any reader (who can read), name a single technological/digital item that is 100% unlockable when it’s unlocked?

    Q/. If I don’t lock a banana in my desk drawer when I walk away and I come back to find the banana has been hacked & is not there, is it...

    (A). Because someone opened my drawer and removed it, when I should have locked the drawer.

    (B). Because I needed a coffee

    (C). Because I should have put it in a ‘Window(s) Box’ instead (see what I did there? Huh? Oh my Mum would have been so proud.

    Anyway, I trust the Windows Surface carrying Nerd with a Tshirt of an Android robot peeing on an Apple (I always wondered who bought those), understands that my Mac is still more secure than his open source because I didn’t install Windows!

    Can anyone tell if he wound me up? Huh? Huh? Signing off now, need to get locks for my Windows, since they can be opened from the inside after I open the door to get in!

    PS: Your socks don’t even match and you live with your Mum.

    Done this time and feeling much better now.

  7. Mark 108

    It just works. For anyone.

    Wrong!

  8. AstroNutter

    Who said macs were more secure than Windows?

    Since 1995 people have been finding flaws in the Windows operating systems. Over the 20 years, lots of apple fans have said "OSX (macOS) is more secure than windows" my believe is this has been because Windows as the dominant operating system has been the target of pretty much every security researcher and hacker. Which make sense, as why bother trying to attack a minority of users when it's easier to make a single attack that will catch more computers out.

    However, in recent years Apple made it's comeback (fueled by the iPhone) this, combined with MS's blunders (windows vista, windows 8) has lead to an upsurge in popularity for Mac based computers. (I get why, as I have a couple of Mac's myself) Over the last few years Mac's have been getting more popular. When that popularity, so the eye's of the security researchers and the hackers have turned to bring these devices into their gaze. Whilst in years past it was true that you didn't need a virus scanner on a mac, this was mainly because no one bothered trying to exploit those machines. This is no longer the case and the mistakes that will have already been made and fixed by MS are likely to be coming to light in macOS.

    If Linux ever gets to the same popularity levels where it could be used by just about anyone (which I contest at the moment it can't, there's still things that prevent it from being used by the silver surfers and kids, I'm talking about the people who can barely find the power switch) this is when I'm fairly sure that some software blunders will come to light in that OS as well. The same can be said for just about any OS, large or small.

    Linux does have a few advantages, it's use in server environments for one. But just look at the world of IoT, alot of which are Linux based, so I wouldn't say they're fairing much better really.

    In summary, these things happen, and I call them growing pains. Just a shame that whilst Apple has extra time over MS, it seems they spent the time on Shiney bits rather than making sure the foundations are properly solid.

    1. Don Pederson

      Re: Who said macs were more secure than Windows?

      This old saw that Linux is too hard for normal users is mindlessly repeated and totally wrong. I know a bunch of old retired folks that use Linux and have far fewer problems due to the lack of malware messing up their systems. I have seen people moved from Win 7 to 10 have more problems than moving them from Windows to Linux. With a host of desktop options (KDE, Gnome, XFCE, LXE, Cinnamon, Mate, Enlightenment, etc.) there are excellent and easy to use Linux desktop distributions.

      1. Sandtitz Silver badge

        Re: Who said macs were more secure than Windows?

        "I know a bunch of old retired folks that use Linux and have far fewer problems due to the lack of malware messing up their systems."

        Do they install everything from repos or do they also download software packages from random sites?

        They old folks could just be restricted to the app store on Windows and be just as safe.

    2. Ian Joyner Bronze badge

      Re: Who said macs were more secure than Windows?

      "my believe is this has been because Windows as the dominant operating system has been the target of pretty much every security researcher and hacker."

      No, Windows has always been leaky bucket for security. Mac has always been based on more secure technology, even before Unix-based OS X came along.

      "Linux does have a few advantages, it's use in server environments for one."

      Yes, Linux is good for professionally-run and rarely updated server systems. But it should not be used as the basis for end-user systems. The reason is that MacOS is Mach based and thus compartmentalises functionality better, whereas Linux is monolithic and that is more of a problem for security. It makes tried-and-tested programs run faster, but in a user environment where apps are loaded from anywhere that is not good.

      "Apple has extra time over MS, it seems they spent the time on Shiney bits rather than making sure the foundations are properly solid."

      Completely wrong. Apple have very much spent a lot of time on solid foundations. As I said they decided on Mach, not Linux. It's just that the polished exterior are the bits you see. This short-lived password hole is at the upper levels, not down in the guts.

    3. Anonymous Coward
      Anonymous Coward

      Re: Who said macs were more secure than Windows?

      Kids are fine with Linux. Just point them at the new apps they need to use if they differ (Word, Excel whatever) or not if they're mainly on the browser and they just get on with it. Being at the more inquisitive and exploratory end of the age spectrum I very much doubt any GUI driven OS is going to inhibit them. Albeit on iOS, there's plenty of times they've enlightened me with a "did you know you can do this". How? Simply because they're willing to sit there and explore.

  9. Ian Joyner Bronze badge

    Yet another storm in a tea cup

    "although a damning indictment of Apple's quality control."

    Register overstates again. Seems it was quickly fixed and only on admin user codes which should never be used for normal work anyway. Anyone who has done software development knows it is not possible to test for everything. (Hence the need for the formal verification techniques that have long been dismissed by an immature industry as 'training wheels'.)

  10. Cynicalmark

    Features

    I think they are called ‘features’ in @pple, not bugs.

    Either way they cannot be expected to test everything can they? I mean if they did and it was flawless then nobody would have anything to write about, or complain about....the world would get very dull.

    Seriously aside you test, then someone else tests, then another test on top to test the tests -then a beta release to software ‘animals’ who are challenged to break it. Rewrite to close loop holes or vulns and repeat....rinse and dry then oh ffs I just cannot be serious. Whatever humans make, other humans can reverse engineer and break.

    I love Apple and also MS, Linux and older systems and their flawed OS....the more features the better - gives me (&you) a job to do- and staves off the inevitable senility...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like