Turkish developer Lemi Orhan Ergin has uncovered a major security flaw in macOS High Sierra, which lets anyone get full admin access without a password. Ergin did not report this vulnerability to Apple first, but rather just tweeted it out after discovering it, which means everybody is at risk once word spreads.
We can confirm the bug is present in macOS 10.13.1 and for anyone with a Mac in a public office space, you are urged to fix this by yourself, immediately.
Essentially, the bug allows someone to either login to your Mac or unlock System Preferences by using the user name “root” and a blank password. We tested this bug on our Macbook Pro and yep—we were able to gain access to our machine after clicking “Unlock” after a couple of tries.
You can test this yourself:
1. Open System Preferences > Users & Groups > click the lock icon in the bottom left corner
2. Enter the user name ‘root’, click on the password field and leave it blank, then click ‘Unlock’. Try this 1-3 times and voila—It will accept and boom, full system access.
Here’s a video of the flaw in action:
— patrick wardle (@patrickwardle) November 28, 2017
What makes this flaw so dangerous is people are reporting it also allows for full keychain access and any login where a user name and password is required, even via remote access via OS X screenshare. If you want to protect yourself, physically keep your Mac on lockdown for now, until Apple releases a software update, which we expect will come out in the next 24-48 hours due to the severity of this bug.
The workaround right now according to the Twitterverse, is to set a root user password. Here’s how to do it on your Mac right now…
On your system, launch Finder and navigate to:
System > Library > CoreServices > Applications > Directory Utility
Click the lock in the bottom left corner to unlock, then go to Edit (in the menu on your Mac) and ‘Change Root Password’. You’ll be prompted to change the root password, so enter something you’ll remember and click OK:
Note that disabling the root user does not fix this, as you’ll still be able to bypass it. Changing the root password is the workaround for now.
Let us know how it goes for you, and stay tuned for Apple’s macOS update soon…
Update: An Apple spokesperson told MacRumors the following statement:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
[via The Register]