Horrifying macOS Bug Lets Anyone Become Admin With No Password

Share

The MacOS High Sierra "root" login bug in action. The root account for your device is a superuser, with the ability to read and write files all across the system. All you need to do is enter "root" into the username field, leave the password blank, and hit Enter a few times. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug.

The bug was reported by Lemi Orhan Ergin who reached out to Apple over Twitter.

So far as we can tell, you need access to a now logged in account in order to trigger it.

Until Apple releases a new version of the software or patches the flaw, users can fix the issue by assigning their own password to the root account.

The vulnerability does not always work on the first attempt, but simply continuing to click the "Unlock" button with "root" entered as the username and no password provided will eventually unlock the machine. MacOS users may want to mitigate the issue themselves by assigning a root password or disabling the root account in System Preferences - User Groups on your Mac device.

More news: Patriots to place Martellus Bennett on injured reserve

Users can click on the login options button, then select the join network account server option. That said, this isn't good for macOS users and it looks bad for Apple. Edward Snowden, a key voice in the information security community after being the center of many years of National Security Agency leaks, commented on the disclosure. "In the meantime, setting a root password prevents unauthorized access to your Mac".

Now click Edit Enable Root User in the menu bar.

Currently, there is no official fix from Apple regarding the issue.

Once a password has been set for the "root" account, the flaw that allows a person to login as "root" with no password will no longer work.

Share