Apple gets on-front with yet another controversy after the claim by hackers to get pass through face identification on iPhone X which ended up being true just about two weeks ago. This time its a bug in macOS High Sierra which can allow anyone obtain administrator access to a Mac. Worsening things up, once this access has been granted, any hacker is able to log into the secured device anytime.
Discovered by software engineer, Lemi Orhan Ergin, this flaw is a potential threat. This bug allows any layman to make an account of an anonymous profile that can log into the Mac with administrator access, but it will not show on the actual admin account.
Just when this phantom account will be generated, a user only needs to type ‘root’ as the username and leaving the password tab blank then pressing enter to proceed into the account. This is bad even when an attacker must have an unlocked device to complete all these tasks.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The macOS High Sierra bug vulnerability even exists on a remote device as well if screen-sharing is turned on.
https://twitter.com/bambenek/status/935628229779566592
Users who currently have not disabled their guest user account or altered their passwords are more likely a threat to this loophole. Yesterday, Apple uploaded the solutions of the bug present in macOS High Sierra.
Have an outlook on how to fix macOS High Sierra bug, see the complete video below:
Enable or disable the root user
- Choose Apple Menu > System Preferences, then click on Users & Groups (or accounts).
- Click
then enter an admin name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click
in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in the Directory Utility:
- Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
- Or Choose Edit > Disable Root User.
Disable guest user on macOS High Sierra
- Launch System Preferences.
- Select Users & Groups.
- Select Guest User.
- Disable Allow guests to log in to this device.
Login as the root user
After enabling the root user, you have the authority as the root user only while being logged in as the root user.
- Choose Apple Menu > Select Log out to log out of your current user account.
- At the login window, log in with the user name ‘root’ and the password you created for the root user. (If the login window is a list of users, click on Other, then login).
After completing the task, do remember to disable the root user.
Change the root password
- Choose Apple Menu > System Preferences, then click Users & Groups (Or Accounts).
- Click
then type in an administrator name and password.
- Click Login Options.
- Then click Join (or Edit).
- Click Open Directory Utility.
- Click
in the Directory Utility window, then enter in an administrator name and password.
- From the menu bar in Directory Utility window, enter an administrator name and password.
- From the menu bar in Directory Utility, choose Edit > Change Root password.
- Enter a root password when prompted.
We hope Apple does not get faced by another bug in the upcoming weeks or so.