macOS High Sierra Security Flaw Allows Admin Access Without a Password [Update: Apple Working on a Fix]


Having a username and password on your computer is meant to secure it, but sometimes that’s not always the case.

A bug discovered within the most current version of macOS High Sierra (10.13.1) allows for full admin access without the requirement of a password. The security flaw was discovered by developer Lemi Ergin, and it will let anyone log into an open Mac by opening System Preferences, navigating to Users & Groups, then inputting “root” in the username. There doesn’t need to be a password inserted into the “Password” field to allow unlocked access.

It will apparently also provide access to a locked Mac via the login screen.

To replicate the security flaw, as put together by MacRumors, follow these steps:

    • 1. Open System Preferences

 

    • 2. Choose Users & Groups

 

    • 3. Click the lock to make changes

 

    • 4. Type “root” in the username field

 

    • 5. Move the mouse to the Password field and click there, but leave it blank

 

    6. Click unlock, and it should allow you full access to add a new administrator account.

If the security issue has been activated within System Preferences, via the method above, then it can also be used at the login screen of a locked Mac. At that screen, a user can simply click on “Other” and then enter he “root” username. No password is needed to access the machine at that point.

As noted in the original report, this bug is present in the current, public version of macOS High Sierra. It appears to also be present in the current developer beta of macOS High Sierra 10.13.2, the upcoming software update for the desktop operating system.

As it stands, Apple has not made a comment about the security flaw. It is likely that they will be patching it as quickly as they can, however, now that it is widely known.

To stop this from being a possibility, at least until Apple fixes it directly, you need to create a root account with a password. You can learn how to do that right here.

Update:

Apple has acknowledged the critical security flaw and has said that they are working on a fix.

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

[via MacRumors; @lemiorhan]

Like this post? Share it!