Recently discovered MacOS High Sierra bug puts Apple laptops running the latest OS, version 10.13.1, at risk of being infiltrated without the need for a password.

Apple has once again taken the spotlight. No, not for a new product launch. And no, not because the ‘A’ character is still confused.

Instead, Apple is scrutinized for a MacOS High Sierra bug that enables anyone to gain root access without a password to Mac laptops running High Sierra. On Tuesday, security researchers disclosed the rather rudimentary security flow that enables unprotected access.

As you can see, it’s not just plain access to the laptop. It’s ROOT ACCESS. Usually, this access is exclusive only to the administrator or owner of the device. This is because it provides privileges that allow modification of the computer system at all levels such as granting or revoking access permissions. This means absolute power over the device.

A person would need physical access to the computer to gain root access. So, if you own a Mac with the latest High Sierra OS installed, you better not leave your device unattended.

@Apple in hot water after the #macOS #HighSierra bug exposure! #SecurityClick To Tweet

To make matters worse, any malware designed to exploit the vulnerability could install itself deep within the computer undetected.

“We always see malware trying to escalate privileges and get root access. This is [the] best, easiest way ever to get root, and Apple has handed it to them on a silver platter,” Patrick Wardle, Director of Research at Synack said.

How the MacOS High Sierra Bug Works

On Tuesday, Turkish software developer Lemi Orhan Ergin revealed the said MacOS High Sierra bug through a public tweet calling the attention of Apple Support.

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?,” Ergin tweeted.

The initial tweet was later on followed by another one exposing how the ‘root’ could be bypassed.

“You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!”

The bypass works by inputting the word root in the username field of the login window when accessing User & Groups under the System Preferences, leaving the password empty before hitting the enter button or clicking the ‘unlock’ button at least twice. As news about the MacOS High Sierra bug quickly circulated online, other security experts tried the bypass themselves. Wardle tweeted a short clip of how it works.

Wardle argues that such flow could have been caught earlier if Apple offered a bug bounty like all other tech companies. He said:

“A bug bounty program is a no-brainer. Maybe this is something that will encourage them to go down that path. It’s crazy these kinds of bugs keep blowing up. I don’t know if I should laugh or cry.”

The Temporary Fix

Apple has already acknowledged the issue, and according to the company, they are already working on a fix that will come in a software update soon. In the meantime, Apple has offered a temporary fix to the MacOS High Sierra bug.

“In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section,” Apple said in a statement to The Independent.

Enable or disable the root user

  1. Choose Apple menu> System Preferences, then click Users & Groups (or Accounts).
  2. Click, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click on the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
  • Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
  • Or choose Edit > Disable Root User.

Change the root password

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click on the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  8. Enter a root password when prompted.

What can you say about this latest Apple issue? Let us know in the comment section below!

banner ad to seo services page