Back
Register for SMS Alerts
or enter your details manually below...
First Name:
Last Name:
Email:
Password:
Hometown:
Birthday:
Sorry, we couldn't find that email.
Existing users
Email
Password
Sorry, we couldn't find those details.
Enter Email
Sorry, we couldn't find that email.

[WATCH] MacOS High Sierra bug allows access to Mac without a password

A 'huge security issue' has been found in the latest version of MacOS, allowing users to unlock the computer without a password

29 November 2017, 12:06pm
(Photo: Lynda)
(Photo: Lynda)
A security flaw found in the latest version of Apple’s macOS High Sierra allows anyone to access locked settings on a Mac using the user name “root” and no password, subsequently unlocking the computer.

The flaw, discovered a couple of weeks ago and disclosed in an Apple developer support forum, has been shown to work within the software’s user preferences screen, amongst other locations.

Once triggered, the same combination will also bypass the lock screen of Macs running Apple’s latest operating system, High Sierra.

Turkish software developer, Lemi Orhan Ergin, publicised the flaw on Twitter, calling the bug a “huge security issue”:

Apple said it was “working on a software update to address this issue” and advised users to set a root password, to prevent unauthorised access to Mac computers.

The bug does not appear to affect previous versions of MacOS, including Sierra, El Capitan or any older versions.

It can reportedly be exploited on an unlocked Mac, bypassing security settings and allowing things such as File Vault encryption and the firewall to be turned off. It can also be exploited at the login screen of a locked Mac, even after a reboot, if the bug has been used before, and in some cases remotely, if a user has screen sharing enabled.

The security flaw was originally detailed as a solution to a user login problem on Apple’s developer support forum. A developer called Chethan Kamath, writing under the username chethan177, wrote on 13 November:

“On startup, click on “Other”. Enter username: root and leave the password empty. Press enter. (Try twice). If you’re able to log in (hurray, you’re the admin now).”

The solution was then followed by exclaims of surprise that Apple’s software permitted such an action.

CoyoteDen said: “Oh my god that should not work, but it does. This is really REALLY bad. Some bug in authentication is ENABLING root with no password the first time it fails!”

Security experts warned that the security hole was both embarrassing for the company and dangerous, allowing anyone with physical access – and in some instances remote access – to a Mac computer to gain full access to user data.

Edward Snowden remarked on the bug, saying: “Imagine a locked door, but if you just keep trying the handle, it says “oh well” and lets you in without a key.”

Experts also warn against trying out the bug for yourself, as once enabled the flaw can then be more easily exploited even on a locked Mac.

“By testing this vulnerability on your own computer, you’ll end up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” Keith Hoodlet, a security engineer at Bugcrowd said.

DealToday
Latest Business News
Business Comment 12-12
US stock markets, Apple’s new acquisition and a good time for Tesla
Technology 12-12
Chamath Palihapitiya, former social media giant executive feels guilt over his work on 'tools that are ripping apart the social fabric o...
Business News 12-12
'Apple Music and Shazam are a natural fit, sharing a passion for music discovery and delivering great music experiences to our users,...
Business Comment 11-12
Economic Data, Brexit and Bitcoin Futures
Business News 08-12
A proposed €500 million merger of telcos Melita and Vodafone will not go ahead after the companies say they are unable to meet competit...