Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Am I missing something or does this require the attacker to have access to an unlocked computer? In which case all bets are off anyways.


It requires the attacker to be able to type a few characters into a logged in session. If the session is not an administrative one, it's not fair to say all bets were off.

If I give you a Mac logged in with an unprivileged account and you can use only the keyboard and mouse to gain root access, the security has failed.

I think you've conflated this with the attacker having (full) physical access to the machine, which conventionally means access to its ports and perhaps a screwdriver. This is not that.


Fair point, if that works with a guest account.

I was thinking along the lines of, if I have write access to your .bashrc (or a multitude of other config files that you as an unprivileged user have write access to, and can be used to trick you later into running code of my choosing), all bets are off.


It works remotely if remote login is enable.

edit: Screen sharing is is vulnerable not ssh. Either way its bad.


No it does not. I tested this rather carefully, and both ssh and screen sharing do not allow the user root with no password.


I have not been able to trigger this with ssh, but certainly have been able to with Screen Sharing, even after explicitly re-disabling the root account.


nope. you can log in at the login screen, it creates a new root admin user


Missed that part in the text, thanks.

Yikes!


an unlocked computer, or:

* a computer with remote login enabled

* a computer with the main login screen set to "username and password" mode

* a computer with a guest account


The 'attacker' could be someone like your 12 year old son or an employee, who already has access to the computer but not necessarily everything on it at all times.

This would have been a pain for me when i was using parental restrictions to lock a 12 year old out of 18 hour a day Minecraft.


>In which case all bets are off anyways

How are all bets off if they don't have access to a root user? This isn't Windows we're talking about.


If they have access to the account that is being used normally, they can modify the (user-accessible) settings to trick the user into running malicious code and giving them access (or causing trouble even without access to the root account).


If you lose physical control over the machine, all bets are off because an attacker can modify the hardware to do nefarious things.


I know the theory, but practically there's a huge difference between that type of physical access and "the victim left the room to go to the bathroom for 2 minutes" type of physical access


ok, sure, but in practice that is pretty unlikely.


What if it's a stolen laptop with an encrypted hard drive?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: