Oh, wow - I've reported this problem along with na example exploit to Apple about 6-7 years ago. Never got any recognition for it, but It was fixed some time after that. It's quite sad to see old bugs getting new lives like that.
For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.
Hah. I've reported a similar issue with attaching an iDevice to a locked Mac in 2014. In my case, iTunes was opening a new space to restore its window in fullscreen mode, and the desktop contents were revealed while the animation was running (the lockscreen reappeared afterwards). Now I'm disappointed that I didn't try to get keyboard input into the system and fully pwn myself :)
I've seen enough regressions with enterprise stuff that I've wondered what their testing looks like. Of course they've always neglected the enterprise so I gave them the benefit of the doubt about the OS as a whole but now I'm starting to wonder.
With no disrespect to the developers at Apple, et al, each one of these problems that goes viral before reaching “proper” channels is a well-deserved slap in the face of these behemoth organizations.
Perhaps, if the entire tech community regards Apple as a joke, they will start paying attention.
“Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
Responsible disclosure is about preventing the bug from being exploited before it can be fixed. Knowing about this bug doesn't help me compromise someone else, but it does help me avoid getting compromised.
"With no disrespect to the developers at Apple, et. al., each one of these problems that goes viral before reaching "proper" channels..."
s/that goes viral before reaching \"proper\" channels//
The fact that the problems existed to begin with is more troubling than whether they became known outside the company or not. IMO.
With an open source UNIX-like OS (like the ones Apple sourced from for parts of macOS), both the developers and the users can watch the commits as they happen. Developers and users anywhere can choose to watch the commits and may be able to detect a series of poor quality ones. At least they can make informed decisions on the relative merits of changes from one version to the next. (Edit: They might choose not to compile or install certain components. I do not use X11. Nor do I use systemd.)
The fact that development of macOS is hidden from those outside Apple and that problems are protected from "going viral" does not make the problems any less of an issue for macOS users.
The issue is not how fast and secretively they fix problems, it is how many problems their developers are introducing into the existing version to begin with.
If there are problems routinely being introduced then no amount of fixing after the fact and behind the scenes is going to make the OS higher quality. Only due care taken before introducing changes will guard against further deterioration of quality level.
(Edit: The mention of open source is not intended to be interpreted as an argument that open source inherently results in better software. Perhaps skill and attention to detail are at cause. This is a debate worth avoiding.
The relevance of the mention of open source is intended to suggest that detecting and avoiding problematic software may be easier for some users, e.g. yours truly, if they can access the source code. As opposed to hoping that Acme Hardware and Software Corporation will quickly and secretly fix all software problems that slipped through their QC procedures. Too late for the user who has already paid for the software and updated to the new version. That argument should not be too controversial.)
> “Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
Also "Responsible disclosure" means absolute nothing to most people who are not security researchers. They don't know about it, even if there is a bounty and they could make a decent profit, they have no idea what those things are. They notice they can get root access or the focus sends their password to Slack and they'll tweet about it.
we do regard them as a joke, apple is for you non techies that like cool stuff and dont care about being over charged for a metal case .... how many iphone have broken screens.
Apple customers dont care about the tech , they care about cool. This is what Steve Jobs and apple as branded themselves on so thats what you get, cool without good tech. And it wont matter becuase that is not the reason people buy Apple.
Tech community doesnt care about Apple, but the engineers will happily take their money to work on their products. If apple falls programming and computing will go on happily and at least we wont have to build over priced products for a bunch of children to take selfie shots that dont care 2 cents that they have a technical marvel in their hands.
Not to pile on, but my MBP (with "TouchBar" which will assuredly not exist in another year) is always in clamshell mode and connected to two external LG 4K displays. Whether, on which screen(s), or in what state the Mac wakes each morning is completely random. Sometimes it doesn't wake at all. Sometimes I have artifacts on one screen and a desktop on another screen. The sleep/wake sequence is a complete mess, and it doesn't surprise me that the focus might sometimes be on apps running in the user session behind the lock screen.
Wow, I have similar issue. I have an acer 4k monitor at home with both HDMI and Display Ports. I used to use HDMI before to connect it to my 15inch 2016 MBP, and the mac used to crash very often. Close the mac, and connect the dongle with hdmi? crash. So I'd have to restart the mac, and connect the monitor while keeping it open, and then close. But once i disconnect the monitor - crash.
I then got a usb c/thunderbolt to display port for 4k 60fps, and the issues significantly dropped, but it still occasionally happens.
Same problems as you, but I disagree on the touchbar. It’s one of the better things Apple has added recently.
But holy hell do they need to work on their external monitor support. Yesterday I had one of my monitors randomly go black for a second. I’ve had audio over usbc just not show up anymore and it refusing to see my gigabit ethernet when waking up unless I unplug the actual ethernet cable. Simply amazing this passed their QA - and Id find it hard to believe no one at Apple uses clamshell mode with two monitors.
FWIW this is a known security bug at Apple. I filed a bug about similar behavior where you can see the desktop briefly without logging in. Apple marked it as a duplicate. https://imgur.com/YxXtU2y
Here are the steps to reproduce:
- Start Mac
- Login
- Turn on Screen Lock: System Preferences > Security > General > Check "Require Password" and Select 5 Seconds.
- Turn on Hot Corner Sleep Display: System Preferences > Mission Control > Hot Corners > Select upper left > Put Display to Sleep > Ok
- Attach external monitor
- Activate hot corner by dragging mouse to upper left corner of screen
- Wait 6 seconds
- Click the mouse to trigger waking the screen
- See brief flash of the desktop without logging in!
So, Apple has the most available cash resource of any company out there (or at least close to). Yet, bugs galore, and strange product decisions. The obvious conclusion is that their management is failing to staff accordingly to the work that needs to be done. This could be because they are not aware that work needs to be done, which means engineers are not telling them, or that the management is not succeeding in hiring enough people to do the jobs.
My gut instinct says that a some former people at Apple used to do a lot of undocumented QA work and sanity checks, and that as the company has grown and changed, nobody picked up the slack when they left. Now, they'll have to go through a formal process of re-identifying QA steps that need to exist, and hiring against them. It's been a hell of a month for them, though.
It means money is not everything. Yet for some reason people seem to think the most expensive stuff is the safest, nicest and the best one. Like they are buying trust or what..
I did something similar too - I was typing in the password while the Mac was being unlocked by the watch using that unlock-with-the-watch feature.
I was used to hammering return a few times to wake the machine up, then typing in the password, then hitting return again.
The few times I hammered return woke the machine, the watch unlocked the mac and the password plus the return key went into the app that had focus which for me also was Slack.
Is it possible that this user had the same thing happen to them? When I disable the watch unlocking, I can't make the password go anywhere but into the login screen (10.13.1 here with last weeks security update applied)
Original Poster replied to my tweet where I asked him if he has an Apple Watch:
>Hey Tonny. No I don't have an Apple Watch so it's not related. I did connect an external screen before opening the MBP though, so maybe it's related to that?
Note that I can't reproduce it, happened only once so it must be a shady bug.
Because of the short delay between waking the Mac and the display lighting up, I always either use spacebar or command key, or click the trackpad/mouse a couple times to wake.
Hmm, the "Unlocking with Apple Watch..." sequence breaks when you hit a key and then displays the standard password field, so that you can type in your password instead. This seems really unusual.
These lock screen issues go back further than 10.13, I believe it was 10.10 or 10.11 my child was able to bypass the lock screen by mashing on the keyboard while the screensaver was fading out the login dialog.
I witnessed it. I was not able to reproduce it in 10-15 minutes of testing. She did NOT type in the password. Just banging on the keyboard, playing with the screensaver.
Lock screens are harder than they first appear: www.jwz.org/xscreensaver/toolkits.html (Which, you'll note, mentions this exact failure case in the "Transfer Grabs?" section.) There's some X-specific stuff in there, but there's a lot of general issues in there, and with just a bit of imagination most or all of the X-specific issues can be seen as general issues as well.
Sadly, he also is fighting against the only solution to this issue.
There has been work to solve this by registering the session, compositor, and screen locker each with the session manager.
If the screen locker (which now can use any toolkit) crashes, the session manager can try to restart it. If it fails again, it just displays "your unlocker has crashed. To unlock this session, open a tty, login, and type `loginctl session-unlock`"
This solves all the issues, but he (and many others) have been fighting against systemd for a while (which fixes this, and so many other issues, which no competing project ever handled)
See the problem is that they don't have to be. An architecture where the screenshield must be a client to the display server like any other application is terrible design and largely an X-ism rather than something fundamental.
Left Slack open with focus, allowed MBP to sleep, woke with space bar, login field had focus, tried with closing lid and opening while Slack was open and focused, again password field functioned as it should, unable to reproduce, macOS 10.13.2
Difficult to reproduce, can be when we lock the session, close the macbook, plug a second screen and re-open. Or in another order. Personally I remember not having the focus on the password input by opening my MacBook onetime, I often plug and unplug screens
I often wonder how many authentication log files contain passwords because people in a hurry append it to the username on accident (not visually confirming the Tab/Enter/switch to the password entry).
This is also vaguely similar to the 'test SSL submit' security technique of first entering enough data into login forms to process a submission, and then entering real login info into the 'login failed' retry page after verifying SSL. This has lost some of its luster as non-SSL form submission has fallen out of wide usage.
Say what you want about Windows, but no amount of sneakery can steal input focus from Winlogon window station (yes, there's a separate kernel object for that in NT/Win32K).
This has been a very sporadic issue that I've seen once or twice per year at most, for quite a while with OS X - somehow, another window is able to steal focus from the login screen. I've never been able to reproduce it reliably or find a common element in all of the times it has happened, but it definitely has happened to me and I've also seen co-workers dropping their login password in a chat window due to this. But it is pretty rare, so hard to pin down.
I've also noticed another thing happening more lately - locking the screen, only to have it automatically unlock itself a second or two later. I always have to make sure it actually stays on the screensaver for a few seconds before I trust it will actually lock.
I'm really bothered. While I had relatively no issues with the fresh OS X update, I'm having a hard time with the iPhone 7 and the new iOS that is supposed to run their flagship device: iPhone 10.
While most of the bugs have disappeared with the recent update, there are still some minor ones that really pisses me off: Screen freezing unresponsively for 30-60 seconds before things get back to control; and music playing randomly (happened a few times. Everything calm. Boom, music starts to play).
I'm pretty sure this mess wasn't here before the update to iOS 11.
Edit: Just found there is a new update. Let's see if they are getting their shit together this time.
Although this bug still sucks, the class of problems of pasting passwords into chat may have a simple, worthwhile, and general solution. A colleague at a former company always changed the key bindings is his IRC/Jabber client to include a control key with Return for sending a message. Does Slack have this option?
I also typed my apple id password to my peer, not into chat, but into another mac in the same room. Mac keyboards can disconnect and connect to wrong devices if used with them once.
That specific setting was: my keyboard was used to setup his mini, mini was turned off and on later. My keyboard, already properly reconnected to my mac at that time, disconnects on timeout (or for whatever reason it does that few times a day). Mini “grabs” my keyboard when it goes back on air. I wake my sleeping mac via trackpad and try to type my password into focused password field. Non-obviously, no characters appear on my screen.
Definitely done that before. Sent my password through Messages to a friend. After that, I learned to keep the finder or a web browser as the thing in focus before I lock my computer.
Last week I was resizing a window in High Sierra, and I noticed that the Chrome app in the background was also scrolling. That was completely unexpected. It's long been the case that the window doesn't need to be on top for this behavior, but in this case it wasn't just a focus issue, it was that I was in resize mode. Completely jarring when it happened, but seems related.
[+] [-] tachion|8 years ago|reply
For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.
[+] [-] zelos|8 years ago|reply
[+] [-] gurkendoktor|8 years ago|reply
[+] [-] brazzledazzle|8 years ago|reply
[+] [-] yeukhon|8 years ago|reply
Any proofs? Perhaps you can demand a bounty payout or sue them ignoring!
[+] [-] gonational|8 years ago|reply
Perhaps, if the entire tech community regards Apple as a joke, they will start paying attention.
“Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
[+] [-] daveFNbuck|8 years ago|reply
[+] [-] mholt|8 years ago|reply
Responsible disclosure is more or less earned as your resources go to infinity.
[+] [-] feelin_googley|8 years ago|reply
s/that goes viral before reaching \"proper\" channels//
The fact that the problems existed to begin with is more troubling than whether they became known outside the company or not. IMO.
With an open source UNIX-like OS (like the ones Apple sourced from for parts of macOS), both the developers and the users can watch the commits as they happen. Developers and users anywhere can choose to watch the commits and may be able to detect a series of poor quality ones. At least they can make informed decisions on the relative merits of changes from one version to the next. (Edit: They might choose not to compile or install certain components. I do not use X11. Nor do I use systemd.)
The fact that development of macOS is hidden from those outside Apple and that problems are protected from "going viral" does not make the problems any less of an issue for macOS users.
The issue is not how fast and secretively they fix problems, it is how many problems their developers are introducing into the existing version to begin with.
If there are problems routinely being introduced then no amount of fixing after the fact and behind the scenes is going to make the OS higher quality. Only due care taken before introducing changes will guard against further deterioration of quality level.
(Edit: The mention of open source is not intended to be interpreted as an argument that open source inherently results in better software. Perhaps skill and attention to detail are at cause. This is a debate worth avoiding.
The relevance of the mention of open source is intended to suggest that detecting and avoiding problematic software may be easier for some users, e.g. yours truly, if they can access the source code. As opposed to hoping that Acme Hardware and Software Corporation will quickly and secretly fix all software problems that slipped through their QC procedures. Too late for the user who has already paid for the software and updated to the new version. That argument should not be too controversial.)
[+] [-] rdtsc|8 years ago|reply
Also "Responsible disclosure" means absolute nothing to most people who are not security researchers. They don't know about it, even if there is a bounty and they could make a decent profit, they have no idea what those things are. They notice they can get root access or the focus sends their password to Slack and they'll tweet about it.
[+] [-] monochromatic|8 years ago|reply
[+] [-] jagermo|8 years ago|reply
They didn't even include it into the big bounty, did they?
It feels like they don't give a shit about non-iOS-devices.
[+] [-] throwawaymanbot|8 years ago|reply
[deleted]
[+] [-] j4ship|8 years ago|reply
Apple customers dont care about the tech , they care about cool. This is what Steve Jobs and apple as branded themselves on so thats what you get, cool without good tech. And it wont matter becuase that is not the reason people buy Apple.
Tech community doesnt care about Apple, but the engineers will happily take their money to work on their products. If apple falls programming and computing will go on happily and at least we wont have to build over priced products for a bunch of children to take selfie shots that dont care 2 cents that they have a technical marvel in their hands.
[+] [-] malchow|8 years ago|reply
[+] [-] pixelHD|8 years ago|reply
I then got a usb c/thunderbolt to display port for 4k 60fps, and the issues significantly dropped, but it still occasionally happens.
[+] [-] dawnerd|8 years ago|reply
But holy hell do they need to work on their external monitor support. Yesterday I had one of my monitors randomly go black for a second. I’ve had audio over usbc just not show up anymore and it refusing to see my gigabit ethernet when waking up unless I unplug the actual ethernet cable. Simply amazing this passed their QA - and Id find it hard to believe no one at Apple uses clamshell mode with two monitors.
[+] [-] 1_2__4|8 years ago|reply
[+] [-] alex-|8 years ago|reply
I invested $15 in stay https://cordlessdog.com/stay/
I would not say the problem is solved (it's not going to solve artifacts, etc), but it helped me.
[+] [-] y3sh|8 years ago|reply
Here are the steps to reproduce:
- Start Mac
- Login
- Turn on Screen Lock: System Preferences > Security > General > Check "Require Password" and Select 5 Seconds.
- Turn on Hot Corner Sleep Display: System Preferences > Mission Control > Hot Corners > Select upper left > Put Display to Sleep > Ok
- Attach external monitor
- Activate hot corner by dragging mouse to upper left corner of screen
- Wait 6 seconds
- Click the mouse to trigger waking the screen
- See brief flash of the desktop without logging in!
[+] [-] abakker|8 years ago|reply
My gut instinct says that a some former people at Apple used to do a lot of undocumented QA work and sanity checks, and that as the company has grown and changed, nobody picked up the slack when they left. Now, they'll have to go through a formal process of re-identifying QA steps that need to exist, and hiring against them. It's been a hell of a month for them, though.
[+] [-] joeblau|8 years ago|reply
- Very good
- Wants to live near Palo Alto
- Is able to live in the US
- Wants to be subjected to Apple's privacy rules
- Wants to work on fixing bugs instead of making new features
In the software engineering game, money only goes so far.
[+] [-] k3a|8 years ago|reply
[+] [-] pilif|8 years ago|reply
I was used to hammering return a few times to wake the machine up, then typing in the password, then hitting return again.
The few times I hammered return woke the machine, the watch unlocked the mac and the password plus the return key went into the app that had focus which for me also was Slack.
Is it possible that this user had the same thing happen to them? When I disable the watch unlocking, I can't make the password go anywhere but into the login screen (10.13.1 here with last weeks security update applied)
[+] [-] TonnyGaric|8 years ago|reply
See https://twitter.com/BenoitLetondor/status/939164367962148864
[+] [-] geerlingguy|8 years ago|reply
Return is a dangerous key!
[+] [-] TonnyGaric|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] Domenic_S|8 years ago|reply
[+] [-] nerpderp83|8 years ago|reply
I witnessed it. I was not able to reproduce it in 10-15 minutes of testing. She did NOT type in the password. Just banging on the keyboard, playing with the screensaver.
[+] [-] drunken-serval|8 years ago|reply
[+] [-] jerf|8 years ago|reply
[+] [-] kuschku|8 years ago|reply
There has been work to solve this by registering the session, compositor, and screen locker each with the session manager.
If the screen locker (which now can use any toolkit) crashes, the session manager can try to restart it. If it fails again, it just displays "your unlocker has crashed. To unlock this session, open a tty, login, and type `loginctl session-unlock`"
This solves all the issues, but he (and many others) have been fighting against systemd for a while (which fixes this, and so many other issues, which no competing project ever handled)
[+] [-] dwyerm|8 years ago|reply
[+] [-] Spivak|8 years ago|reply
[+] [-] striking|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] Dotnaught|8 years ago|reply
[+] [-] fofolo|8 years ago|reply
[+] [-] cjensen|8 years ago|reply
I've seen similar behavior when switching users. The full-screen password entry login comes up, but focus is still on regular apps.
[+] [-] j_s|8 years ago|reply
This is also vaguely similar to the 'test SSL submit' security technique of first entering enough data into login forms to process a submission, and then entering real login info into the 'login failed' retry page after verifying SSL. This has lost some of its luster as non-SSL form submission has fallen out of wide usage.
[+] [-] 05|8 years ago|reply
[+] [-] suresk|8 years ago|reply
I've also noticed another thing happening more lately - locking the screen, only to have it automatically unlock itself a second or two later. I always have to make sure it actually stays on the screensaver for a few seconds before I trust it will actually lock.
[+] [-] csomar|8 years ago|reply
While most of the bugs have disappeared with the recent update, there are still some minor ones that really pisses me off: Screen freezing unresponsively for 30-60 seconds before things get back to control; and music playing randomly (happened a few times. Everything calm. Boom, music starts to play).
I'm pretty sure this mess wasn't here before the update to iOS 11.
Edit: Just found there is a new update. Let's see if they are getting their shit together this time.
[+] [-] runjake|8 years ago|reply
It wasn't Slack-specific as I've only started using Slack recently.
[+] [-] lloydde|8 years ago|reply
[+] [-] rst|8 years ago|reply
[+] [-] wruza|8 years ago|reply
That specific setting was: my keyboard was used to setup his mini, mini was turned off and on later. My keyboard, already properly reconnected to my mac at that time, disconnects on timeout (or for whatever reason it does that few times a day). Mini “grabs” my keyboard when it goes back on air. I wake my sleeping mac via trackpad and try to type my password into focused password field. Non-obviously, no characters appear on my screen.
[+] [-] rickyc091|8 years ago|reply
[+] [-] noahdesu|8 years ago|reply