This security flaw allows anybody with physical access to a Mac to gain system administrator access without even entering a password.
Yesterday (28 November), developer Lemi Orhan Ergin made details public on Twitter of a serious bug in MacOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Anyone can log into an admin account using the username ‘root’ without a password. According to MacRumors, this works when attempting to access an administrator’s account on an unlocked Mac and also allows access at the login screen of a Mac when it is locked.
According to The Verge, it is not yet apparent whether the issue was flagged with Apple prior to being publicly disclosed. Currently, the issue remains present on MacOS 10.13.1 so, if your system is up to date, then your machine is likely to have been affected.
A major security flaw
This vulnerability allows anyone access to all files and folders on a machine and gives them the opportunity to change passwords. Your Apple ID can also be changed or removed if it is linked to the computer itself.
Apple has stated that it is working on a fix for the major flaw, but hasn’t yet set a release timeframe for it. The large scale of the flaw means that Apple will be working flat out to remedy this issue, as there are numerous ways someone could take advantage of the bug to steal information and wreak general havoc on a victim’s machine.
In the meantime, the company is telling users to enable the root user and set a root password, if they haven’t already done so. Doing this will prevent unauthorised access to your Mac and should protect users until the problem has been solved in a future software update.
Many Mac users have been discussing the flaw on Twitter and the general consensus seems to be confusion as to how such a gaping OS flaw went undetected during the development and testing period of High Sierra.
Ohhh so (as others have said) click #1 -for whatever freaking reason- enables the root account with a blank pw (or whatever you entered) and then on click #2, logs you in/auths pic.twitter.com/Dhe6pGAh8f
— patrick wardle (@patrickwardle) November 28, 2017