This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.
Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Someone will be fired.
Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
Its an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Well, as long as they don't hire John Podesta...or the Awan brothers.
Yes, its stupid, but its more than an oversight.
First, someone (presumably an engineer debugging something) disabled a security feature, but they failed to revert it when they were done, and they committed the change to the source repo. Well, thats bad. But sh*t happens, bad commits do happen. It was not terrible at this level it should have gotten caught and corrected at the next level.
Then at the next level, whoever was supposed to review commits missed it. Thats worse than the original mistake. The error became considerably worse because now its assumed to be okay.
Then the error was built into the release, and QA failed to test for it. This is egregious. QA shouldnt have to find this kind of error you cant test software until it works. But even so, this wasnt a difficult bug to exercise, if you have the resources of Apple. My God, theyve got hundreds of QA people, theyve got automated testing setups. But still, QA didnt find it.
More than an oversight. This was a systemic failure of the first order.
BTW, Ive done professional industrial strength software testing since the late 1970s, so I get to be a little righteous about this one. Im very disappointed in Apple and I expect them to fire a few people over this.