Bangalore man discovered Apple’s major security bug two weeks before anyone else
Chethan Kamath is a former patent attorney in Bangalore, India, who is learning to code during what he calls his midlife crisis.
But for some Apple fans from around the world, he’s now something of a cult hero.
On Nov. 13, two weeks before anyone knew who he was, Kamath posted on Apple’s developers forum on what he thought was a helpful solution to restore administrator access in a Macbook with the new High Sierra operating system. Kamath found a solution – he said he read it on a forum he can’t remember – of typing in “root” in the “Users & Groups” preferences login page with no password to acquire near-instant administrative access.
“It was late in the night, it was pure frustration, and I tried it out and bam, it worked,” said Kamath, who in Apple forums went by his username chethan177. He said in a videoconference interview that he sincerely thought this “root” access was a High Sierra feature.
(The original forum thread now appears to be locked, needing an Apple ID and password to view.)
He did not know it was a security bug of major proportions for all Mac owners with High Sierra.
Turkish developer Lemi Orhan Ergin posted the issue on Twitter – five days after his staff privately alerted Apple, according to his blog post. The issue blew up in a matter of hours, and Apple scrambled to release a security fix in less than 24 hours with a rare apology.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” Apple said in a statement.
Meanwhile on social media, Apple fans began talking about who this chethan177 was and how he discovered the bug two weeks before anyone else.
On Reddit, people began speculating who chethan177 might be.
“I am both laughing with tears in my eyes and so impressed by how he has no idea of the gravity of what he’s describing,” wrote one commenter.
“I like to imagine that this guy is the most brilliant hacker of all time, capable of manipulating any computer in the world, and just forgot that breaking into a computer without a password isn’t something you’re normally supposed to be able to do,” wrote another commenter.
For the record, Kamath said no, he is not some elite hacker. He has just picked up coding and Swift, Apple’s in-house coding language, because he wanted to figure out something else he could do after taking a sabbatical after years as a patent attorney.
“It didn’t occur to me someone can get into my laptop using the bug,” Kamath said. “I saw the news travel really fast. I thought I did something damaging but then it hit me how serious this was.”
Kamath said Apple never got in contact with him before or after his Nov. 13 post and that he received no bug bounty for discovering it. He was pleased about how quickly Apple responded with a fix.
He said he’s just happy he has been able to receive credit for the bug but none of the scrutiny other cybersecurity experts such as Orhan faced after they made the bug public.
“I think I’m glad in a way I was ignorant about the issue,” Kamath said. “It feels good to sit in the back and see what’s happening.”