This feels a little bit like a naughtily published zero-day exploit.
I'm disappointed the post doesn't mention any appropriate disclosure to Apple prior to publication. Sure, it's not an out-right crack of the shaddow password algo but this vector could still be used in damaging ways.
Compensation is irrelevant - if you bothered to sniff around a specific vendor's security and you discover an exploit then you really should disclose it. Such is the lore of white-hatism.
Sure many don't do the above, but the OP author is presenting himself as white-hat/legitimate.
And as informed users, we should consider carefully giving our business to vendors who don't go out of their way to encourage private disclosure --- a zero-day on a vendor is a zero-day on all of it's customers.
Sorry, but no. Compensation is highly relevant. Do you work for free? Or do you just not consider security research to be worth anything?
Although there are various opinions on the best way to disclose bugs, your view of what it means to be "whitehat/legitimate" is not actually consistent with the infosec industry, so please do not misuse the terms to throw judgments at others.
We can easily spin it the other way too after all - one could say that the largest, most profitable company in the world has a moral obligation to compensate those that are protecting their users where they failed to.
Yes I do work sometimes for free - its called Open Source - and sometimes I see my labor implemented into commercial projects. That's fine by me. I take from the well more than I give to it.
I entirely agree that Apple should be compensating those that disclosure exploits appropriately - I didn't say otherwise. But if you have a status quo where a vendor won't compensate and you have a zero-day opportunity, I say the appropriate thing is to inform the vendor first anyway (you can always disclosing publicly if you get no response). I fight for the user and all that.
Disclosing it publicly zero-day doesn't make you any money anyway.
Full disclosure is the only responsible sort of disclosure.
Apple, like Microsoft, has the tendency to sweep things under the rug when they feel it is unlikely the situation will become public. The only way to correct this behavior is release what you find to the public and as fast as possible.
TL:DR of above link: "[responsible disclosure] is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details"
Not really. There's no privilege escalation. You can only change user's password if you're already logged-in as user. That's bad, but it's only going to happen if you literally walk away from a terminal and someone else sits down.
How? The problem he mentions at the end of the post only applies to the currently logged-in account. If you can change root's password, then you're already root, and don't need to change root's password to gain access.
"Like I said, it's not good, but it's not what I would call a "security hole" because there is no escalation of privilege."
Doesn't the end of the article suggest that without admin access, you could just reset the password for any admin user, then be able to log in as them? Sounds like priv escalation to me.
Edit: Actually, reading further comments, it seems you can only reset the password of the currently logged in user without reauthentication, so you can only get admin privs if you've already got a console with admin privs. I'm wrong.
I'm disappointed the post doesn't mention any appropriate disclosure to Apple prior to publication. Sure, it's not an out-right crack of the shaddow password algo but this vector could still be used in damaging ways.