macOS High Sierra security flaw gives anyone full admin access – no password needed
A Turkish software developer has publicly revealed via Twitter that he has uncovered a massive security bug in macOS High Sierra, Apple’s latest operating system.
The flaw grants anyone using a Mac machine admin access by just clicking ‘other’ on the login screen and using ‘root’ as the username, no password needed.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?November 28, 2017
In fact, access to the computer can also be achieved using the username ‘root’ via System Preferences where, to change essential settings on locked Mac devices, users would normally need to enter their login details.
This bug seems to present in macOS High Sierra 10.13.1 – the current version – as well as in the macOS 10.13.2 beta, but does not affect older versions of macOS, like Sierra or El Capitan.
This doesn’t bode well for users on the latest release of macOS – leaving a Mac unattended could make anyone system administrator without any authentication, even when accessed remotely, revealing sensitive information.
Apple has confirmed that it is aware of the bug and is “working on a software update to address the issue.” The Cupertino-based giant released a statement describing how users can, in the meantime, temporarily fix the vulnerability by enabling the root user with a password.