There issues to be a dangerous bug in macOS High Sierra that permits the root superuser on a Mac with a blank password and no security check.
The flaw found by developer Lemi Ergin, allows anyone log into an admin account using the username “root” with no password. This works when essaying to access an administrator’s account on an unlocked Mac, and it also implements access to the login screen of a locked Mac.
Read also:-Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type “root” in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. By the login screen click “Another,” and then enter “root” again with no password.
This allows for admin-level access directly from the locked login screen, with the accountable to see everything on the computer.
It resembles that this bug is already in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the consequence. It’s not clear how such a significant bug got past Apple, but it’s likely this is something that the company will immediately address.
How to fix?
Till the problem is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how-to with a full rundown of the steps available here.
Update 1 : An Apple spokesperson explained MacRumors that a fix is in the works:“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Update 2: Apple released a security update to address the vulnerability on Wednesday morning. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Apple says it will automatically push out the update to all users who have not installed it later in the day.
In a declaration granted to MacRumors, Apple said the company’s engineers worked on a fix as soon as the problem was found. Apple also apologized for the vulnerability and said its development process is being audited to prevent something comparable from occurring in the future.
Read also:-Uber paid hackers $100,000 to keep data breach a secret
Security is a top priority for every Apple product, and regrettably, we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. That morning as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
All users should download the new security update immediately.