Apple left a major security flaw in its MacOS High Sierra that can give a system administrator access to anyone with physical access to a Mac without even entering the password. On Tuesday, the company confirmed that it is working on a software update to fix the vulnerability.
MacOS High Sierra security flaw – no password needed
The bug could pose a threat to businesses and organizations that deploy the MacOS High Sierra. Any user with limited access to the account can use the vulnerability to login to the system and get full administrator privileges.
Speaking to BuzzFeed News, Amit Serper, a security researcher from the software company Cybereason, said that the MacOS High Sierra security flaw is as “bad as it sounds,” and enables anyone to get access of the machine even remotely. Further, the expert noted that Apple could have avoided the issue originally by setting a random password to the root user.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp
— Amit Serper (@0xAmit) November 28, 2017
The MacOS High Sierra security flaw was reported by a software engineer, Lemi Orhan Ergin, who posted about the same on Twitter. The bug can be activated through some simple steps in the preference menu. The complete details of how it works has not been published for security reasons, but staff tests have proven the existence of the flaw to access the system easily, according to AppleInsider.
Ergin, however, found himself at the receiving end for not disclosing the issue responsibly by following the usual guidelines observed by security professionals. As per the guidelines, security experts should notify the companies first about the vulnerability, and give them some time to fix it before going public with the issue.
A temporary fix available
Apple was quick to acknowledge the issue.
“We are working on a software update to address this issue,” the Cupertino California-based company said in a statement.
Apple also released step-by-step instructions to ensure that customers can protect their system in the meantime.
“In the meantime, setting a root password prevents unauthorized access to your Mac … If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section,” the iPhone maker said.
The user just needs to open the system preferences to select Users&Groups and then click on the lock to make changes. Thereafter, the user would need to enter the administrator name and password and click the Login options. Once done, there would be a “Join” prompt at the bottom that would take the user to the next window “Open Directory Utility.”
The user then needs to tap the lock and make changes by entering their name and password. Then from the top of the menu bar, choose “Edit” and select “Enable Root User.” Enter a password for the root user account, which would then disable entering access with the blank password.
Meanwhile, Apple has revealed the fifth beta of an upcoming MacOS High Sierra 10.13.2 update to developers just days after the fourth beta, and almost a month after releasing the MacOS High Sierra 10.13.1 update. The latest beta can be downloaded from the Apple Development Center or through the software update mechanism in the Mac App store.