Meet the man who accidentally discovered Apple’s major security bug two weeks before anyone

Chethan Kamath is a 35-year-old man and former patent attorney in Bangalore, India, who is learning to code amid his self-described midlife crisis.

But for some Apple fans from around the world, he’s now something of a cult hero.

On Nov. 13, two weeks before anyone knew who he was, Kamath posted on Apple’s developers forum on what he thought was a helpful solution to restore administrator access in one’s Macbook with the new High Sierra operating system. Kamath found a solution — he says he read it on a forum he can’t remember — of typing in “root” in the “Users & Groups” preferences login page with no password to acquire near-instant admin access.

Chethan Kamath’s post on November 13 about the “root” bug on Apple’s developer forum. (Courtesy Seung Y. Lee)

“It was late in the night, it was pure frustration, and I tried it out and bam, it worked,” said Kamath, who in Apple forums went by his username chethan177. He told this news organization over a Skype interview he sincerely thought this “root” access was a High Sierra feature.

(The original forum thread now appears to be locked, needing an Apple ID and password to view.)

Little did he know this was a security bug of major proportions for all Mac owners with High Sierra.

On Tuesday, Turkish developer Lemi Orhan Ergin posted the issue on Twitter — five days after his staff privately alerted Apple, according to his blog post. The issue blew up in a matter of hours, and Apple scrambled to release a security fix in less than 24 hours with a rare apology.

“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” said an Apple spokesperson in a statement on Wednesday morning. “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better.”

Get tech news in your inbox weekday mornings. Sign up for the free Good Morning Silicon Valley newsletter.

Meanwhile on social media, Apple fans began talking about who this chethan177 was and how on Earth he discovered the bug two weeks before anyone else.

On Reddit, people began speculating who chethan177 might be.

“I am both laughing with tears in my eyes and so impressed by how he has no idea of the gravity of what he’s describing,” wrote one commenter.

“I like to imagine that this guy is the most brilliant hacker of all time, capable of manipulating any computer in the world, and just forgot that breaking into a computer without a password isn’t something you’re normally supposed to be able to do,” wrote another commenter.

For the record, Kamath says no, he is not some elite hacker. He has just picked up coding and Swift, Apple’s in-house coding language because he wanted to figure out something else he could do after taking a sabbatical after years as a patent attorney.

Chethan Kamath lives in Bangalore, India. (Courtesy Chethan Kamath)

“It didn’t occur to me someone can get into my laptop using the bug,” said Kamath. “I saw the news travel really fast. I thought I did something damaging but then it hit me how serious this was.”

Kamath says Apple never got in contact with him before or after his Nov. 13 post and that he received no bug bounty reward for discovering it. He was pleased about how quickly Apple responded with a fix.

He says he’s just happy he has been able to receive credit for the bug but none of the scrutiny other cybersecurity experts such as Orhan faced after they made the bug public.

“I think I’m glad in a way I was ignorant about the issue,” said Kamath. “It feels good to sit in the back and see what’s happening.”

Photo: An Apple employee points to the Touch Bar on a new Apple MacBook Pro laptop during a product launch event on Oct. 27, 2016 in Cupertino. (Stephen Lam/Getty Images)


Tags: , ,


Share this Post