[WATCH] MacOS High Sierra bug allows access to Mac without a password

If certain sharing services enabled on target - this attack appears to work 💯 remote 🙈💀☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple 🍎😷🤒🤕 pic.twitter.com/lbhzWZLk4v

— patrick wardle (@patrickwardle) November 28, 2017

A security flaw found in the latest version of Apple’s macOS High Sierra allows anyone to access locked settings on a Mac using the user name “root” and no password, subsequently unlocking the computer.

The flaw, discovered a couple of weeks ago and disclosed in an Apple developer support forum, has been shown to work within the software’s user preferences screen, amongst other locations.

Once triggered, the same combination will also bypass the lock screen of Macs running Apple’s latest operating system, High Sierra.

Turkish software developer, Lemi Orhan Ergin, publicised the flaw on Twitter, calling the bug a “huge security issue”:

Apple said it was “working on a software update to address this issue” and advised users to set a root password, to prevent unauthorised access to Mac computers.

The bug does not appear to affect previous versions of MacOS, including Sierra, El Capitan or any older versions.

It can reportedly be exploited on an unlocked Mac, bypassing security settings and allowing things such as File Vault encryption and the firewall to be turned off. It can also be exploited at the login screen of a locked Mac, even after a reboot, if the bug has been used before, and in some cases remotely, if a user has screen sharing enabled.

The security flaw was originally detailed as a solution to a user login problem on Apple’s developer support forum. A developer called Chethan Kamath, writing under the username chethan177, wrote on 13 November:

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

“On startup, click on “Other”. Enter username: root and leave the password empty. Press enter. (Try twice). If you’re able to log in (hurray, you’re the admin now).”

The solution was then followed by exclaims of surprise that Apple’s software permitted such an action.

CoyoteDen said: “Oh my god that should not work, but it does. This is really REALLY bad. Some bug in authentication is ENABLING root with no password the first time it fails!”

Security experts warned that the security hole was both embarrassing for the company and dangerous, allowing anyone with physical access – and in some instances remote access – to a Mac computer to gain full access to user data.

Edward Snowden remarked on the bug, saying: “Imagine a locked door, but if you just keep trying the handle, it says “oh well” and lets you in without a key.”

Experts also warn against trying out the bug for yourself, as once enabled the flaw can then be more easily exploited even on a locked Mac.

“By testing this vulnerability on your own computer, you’ll end up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” Keith Hoodlet, a security engineer at Bugcrowd said.