Apple’s macOS High Sierra has a simple security flaw that lets anyone log into your Mac
A RATHER troubling security flaw has been noticed by Apple users rendering the password protection on your MacBook or iMac ineffective.
APPLE users have noticed a troubling flaw in the company’s Mac operating system which lets people circumnavigate password protocols to gain access to the computer.
Raising alarming privacy concerns, it means anyone with physical access to your MacBook or iMac can create a phantom profile that won’t show up on real admin accounts if the machine is running the new High Sierra operating system.
In the device’s System Preferences, under Users & Groups, you can click on the lock and gain system administrator access by simply entering the username “root” and leaving the password blank. After hitting enter a few times it grants access. Once that is done, the trick can be used to log into the computer at any time.
The flaw appears to have been first reported by software developer Lemi Orhan Ergin who tweeted the fault to Apple’s support team this morning.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The flaw has been confirmed by a number of users and reported by various tech publications.
As Forbes points out, while someone needs to have physical access to your computer, the flaw is problematic in certain scenarios. For instance thieves now have an easy way to get into an Apple computer they’ve stolen and third parties like law enforcement officials could easily login to a suspect’s private computer.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp
— Amit Serper (@0xAmit) November 28, 2017
Just checked, works, on first try.
— Stupid, Incompetent and Disappointing Minion (@Matticide_) November 28, 2017
This is not good.
Most security flaws are so esoteric that normals like me can't really comprehend them, so I salute Apple for building such an accessible flaw. https://t.co/yAYMpd6duR
— Tom Gara (@tomgara) November 28, 2017
movies with "hacking" would be a lot less thrilling if all you had to do was hit the login button with an empty password a few times
— Ken Tsang (@jxeeno) November 28, 2017
The bug reportedly works for all aspects of the operating system that would normally require a password, meaning someone could also get access to your Apple Keychain which holds all your passwords.
If you want a quick way to protect against the flaw, it’s probably wise to turn off any guest admin account so people can’t enact the password workaround, or change the root password from your directory utility under Settings > Users & Groups > Login Options.
In a statement issued to news.com.au, an Apple spokesperson said: “Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. The update is available for download, and starting later today (Thursday AEST) it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
“We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
Originally published as Apple’s macOS High Sierra has a simple security flaw that lets anyone log into your Mac
