A Swedish Hacker Discovers a “Rootpipe” Security Hole in OS X Yosemite

A Swedish white-hat hacker discovered privacy escalation vulnerability in Apple’s latest operating System OS X Yosemite. Rootpipe overrides password authentication allowing the hacker to take full control of your system. As expected Apple is yet to acknowledged flaw in its youngest OS.

A Swedish white-hat hacker unearthed a privacy escalation vulnerability in Apple’s latest operating system OS X Yosemite, allowing a hacker to take full control of your system without requiring admin credentials.

The Vulnerability dubbed “Rootpipe” gives the hacker root access- the highest level of access to a machine without requiring password authentication, says Emil Kvarnhammar, a security researcher at Truesec security firm who discovered the vulnerability. Rootpipe affects the latest OS X 10.10 for desktops and Laptops released last month.

“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar told Macworld. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.”

After many failed attempts to show flaws in older versions of Apple’s operating systems, Kvarnhammar decided to try the youngest OS which was more likely to have a Zero day vulnerability. “I started looking at the admin operations and found a way to create a shell with root privileges,” he says. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.”

Kvarnhammar refused to divulge the technical details of the flaw until Apple acknowledges the bug. But he revealed that Rootpipe overrides passwords authentication on PCs. “Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, rootpipe circumvents this,” he said.

Kvarnhammar reported the vulnerability to Apple but as expected with Apple’s ‘denial policy’, the Silicon Valley giant won’t acknowledge the flaw before getting a full disclosure from the hacker. “In our dialogue with Apple, we agreed on a date for full disclosure. After this date, we can talk about exactly what we found,” he said adding that full disclosure is set in mid- January 2015. “This might sound like a long wait, but hey, time flies.”

Meanwhile, protecting against Rootpipe requires an admin account workaround. Kvarnhammar recommends using the Apple’s Vault which encrypts all data on the hard drive making it useless to a hacker without the decryption key. “This is a great way of protecting your data, especially if your computer gets stolen,” he says.

More importantly, limiting the administrative rights on your Mac PC will reduce the impact of a successful attack. Kvarnhammar suggests creating a second account with administrative privileges, then removing admin permission from the account you will be using on a daily basis. This way, a hacker who takes over your day-day account will have limited administrative rights on your computer.


Lawrence Mwangi Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.