Meet the man who accidentally discovered Apple’s major security bug
Chethan Kamath is a 35-year-old former patent attorney in Bangalore, India, who is learning to code in the middle of a self-described midlife crisis.
But to some Apple fans from around the world, he’s now something of a cult hero.
That’s because Kamath unwittingly exposed a major security vulnerability that affected all Mac owners using the latest High Sierra operating system. And he did it right under Apple’s nose, on its developers forum website — more than two weeks before Apple issued a software update to patch the security bug.
Kamath, in a Skype interview from Bangalore, told this news organization that he initially thought he was offering a helpful tip on the Apple forum. In his Nov. 13 post, he provided a simple method people could use to restore administrative access to a Macbook — without needing a password.
Kamath found the solution — he said he read it on a forum he can’t remember — of typing “root” in the “Users & Groups” preferences login page with no password to acquire near-instant admin access, after losing his admin access to his own Macbook when he changed his Apple ID.
“It was late in the night, it was pure frustration, and I tried it out and bam, it worked,” said Kamath, who in Apple forums goes by his username chethan177.
He said he sincerely thought the “root” access he’d found was a High Sierra feature. (The original forum thread now appears to be locked, and can only be accessed with an Apple ID and password.)
About two weeks after Kamath’s post, Turkish developer Lemi Orhan Ergin raised the issue on Twitter — five days after his staff had privately alerted Apple to the security flaw, according to his blog post. The issue blew up in hours, and Apple scrambled to release a security fix within 24 hours, along with a rare apology.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” said an Apple spokesperson in a statement last week. “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better.”
Apple fans began talking about who this chethan177 was and how on Earth he discovered the bug two weeks before anyone else.
“Would be interesting to know how ‘chethan177’ came to know that!” tweeted @FergusInLondon.
“Shout out to this dude chethan177 dropping zero day like he don’t care,” tweeted @KenZL.
On Reddit, people began speculating about who chethan177 might be.
“I am both laughing with tears in my eyes and so impressed by how he has no idea of the gravity of what he’s describing,” wrote one user.
0 comments: