Huge Security Flaw Found in macOS

Share

If you're using Apple's latest macOS High Sierra, you'll want to be wary of giving people access to your computer. The trick gave you system administration access to the computer, allowing you to mess around with other accounts and settings.

The security flaw was originally detailed as a solution to a user login problem on Apple's developer support forum. Apple released a security memo about the flaw along with a new statement, saying, "Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS". That quick reaction time is reassuring, much as I'm sure many developers, testers, and deployment teams at Apple had a truly terrible day yesterday.

The flaw, uncovered on Tuesday, lets anyone gain admin rights on a macOS machine by typing "root" as the username in the authentication dialogue box, leaving the password fielding blank and clicking on the "unlock" button twice. Wardle believes that this bug could be used by an attacker in a multistage attack.

It also issued guidance for mac users running High Sierra, advising them to set s password for the root user.

From the menu bar in Directory Utility, choose Edit, then Change Root Password.

Steve Troughton-Smith, a Mac software developer posted on Twitter, "A password prompt that authenticates as root with an empty password would be a black eye for any OS".

Forbes writer Thomas Fox-Brewster wrote yesterday that the bug "may go down as one of the most embarrassing vulnerabilities in Apple history". Are you aware of it @Apple?' Then press enter. Sometimes several presses of enter are required, but the outcome is the same - you are logged into the Mac's "root" account, which has full administrator privilege.

A software glitch with the potential security risk has been reportedly discovered in the latest version of Apple macOS. When that happens, "Make sure to update your Macs and MacBooks at your earliest opportunity after it is released", he added.

Dear @AppleSupport please immediately close the vulnerability in "High Sierra".

Share